b"                                         September 29, 2006\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL INFORMATION\n                           SECURITY MANAGEMENT ACT (FISMA) FOR FISCAL\n                           YEAR 2006 (OIG-06-A-26)\n\n\nAttached please find the Office of the Inspector General\xe2\x80\x99s report, Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security Management\nAct (FISMA) for Fiscal Year 2006. This report reflects the results of the independent\nevaluation performed by Richard S. Carson & Associates, Inc., on behalf of the NRC\nOffice of the Inspector General.\n\nThe evaluation determined that the NRC\xe2\x80\x99s information security program has significant\ndeficiencies concerning the 1) lack of certification and accreditation, and 2) not\nperforming annual contingency plan testing. This independent evaluation also identified\neight information security program weaknesses.\n\nDuring an exit conference on September 26, 2006, NRC officials provided comments\nconcerning the draft audit report and subsequently opted to submit formal written\ncomments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at\n415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nMichael R. Johnson, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c            EVALUATION REPORT\n\n\n              Independent Evaluation of NRC\xe2\x80\x99s Implementation\n               of the Federal Information Security Management\n                       Act (FISMA) for Fiscal Year 2006\n\n                     OIG-06-A-26      September 29, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2006\n\n\n\n\n                            Contract Number: GS-00F-0001N\n                          Delivery Order Number: DR-36-03-346\n\n                                                 September 29, 2006\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of the agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n           evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n           external auditor.\n\n           Office of Management and Budget (OMB) memorandum M-06-20, FY 2006 Reporting\n           Instructions for the Federal Information Security Management Act and Agency Privacy\n           Management, dated July 17, 2006, requires the agency\xe2\x80\x99s IG to complete the OMB\n           FISMA Reporting Template for Agency IGs. That template, along with any additional\n           narrative the IG believes would provide meaningful insight into the status of the agency\xe2\x80\x99s\n           security or privacy program, is submitted to OMB as part of the agency\xe2\x80\x99s annual FISMA\n           report, and is included as Appendix C to this report.\n\n           This report reflects the status of the agency\xe2\x80\x99s information system security program as of\n           the completion of fieldwork on August 31, 2006. Any information received from the\n           agency subsequent to the completion of fieldwork was incorporated when possible.\n\nPURPOSE\n\n           The objective of this review was to perform an independent evaluation of the Nuclear\n           Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for FY 2006.\n\nRESULTS IN BRIEF\n\n           Program Enhancements and Improvements\n\n           To correct weaknesses identified by the FY 2005 FISMA independent evaluation by the\n           NRC Office of the Inspector General (OIG), and to address findings from the agency\xe2\x80\x99s\n           own evaluation, the agency has refocused its information system security program.\n           Under the refocused program, the agency will first perform certification and accreditation\n           for systems that are a high priority from a mission perspective and others that potentially\n           pose a higher security risk (e.g., agency systems that communicate with systems outside\n           the NRC network). The security certification and accreditation of information systems is\n           integral to an agency\xe2\x80\x99s information security program and is an important activity that\n           supports the risk management process required by FISMA. Section 3.7 provides an in-\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                          i\n\x0c                                                                       Independent Evaluation of\n                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\ndepth discussion of certification and accreditation and its significance to an agency\xe2\x80\x99s\ninformation security program.\n\nThe agency has also accomplished the following since the FY 2005 FISMA independent\nevaluation:\n\n   \xe2\x80\xa2   The agency developed a comprehensive certification and accreditation process,\n       which is not yet finalized. The agency developed templates for all certification\n       and accreditation documents and instructions for completing the templates. The\n       updated certification and accreditation process was also integrated into the\n       agency\xe2\x80\x99s new project management methodology.\n   \xe2\x80\xa2   The agency completed annual self-assessments for all but 1 of the agency\xe2\x80\x99s 30\n       operational systems, for the four NRC regional offices and the Technical Training\n       Center, and for 4 of 12 contractor systems.\n   \xe2\x80\xa2   The agency updated security plans for 3 of the agency\xe2\x80\x99s 30 operational systems.\n       Subsequent to the completion of fieldwork, the agency provided an updated\n       security plan for another system.\n   \xe2\x80\xa2   The agency completed updated risk assessments for 3 of the agency\xe2\x80\x99s 30\n       operational systems. Subsequent to the completion of fieldwork, the agency\n       provided an updated risk assessment for another system.\n   \xe2\x80\xa2   The agency developed an approach for consolidation of NRC information systems\n       inventory systems. According to the agency, the reconciliation and consolidation\n       of data from the existing information systems inventory systems is approximately\n       95 percent complete.\n\nSignificant Deficiencies\n\nThe following significant deficiencies were identified in NRC\xe2\x80\x99s information system\nsecurity program.\n\n   \xe2\x80\xa2   Only 1 of the 30 operational NRC information systems has a current certification\n       and accreditation, and only 4 of the 12 systems used or operated by a contractor or\n       other organization on behalf of the agency have a current certification and\n       accreditation. The certification and accreditation for the one agency system that\n       was current during this evaluation expires in October 2006.\n   \xe2\x80\xa2   Annual contingency plan testing is not being performed.\n\n\n\n\n                                         ii\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n     Program Weaknesses\n\n     The independent evaluation also identified eight information system security program\n     weaknesses. Five are repeat findings from the FY 2005 FISMA independent evaluation\n     and are identified in the body of the report. The following three findings are new.\n\n        \xe2\x80\xa2   Different approaches for the security categorization of general support systems\n            result in confusion over responsibility for implementing security controls for\n            high-impact systems.\n        \xe2\x80\xa2   The Network Continuity of Operations listed system is incorrectly categorized.\n        \xe2\x80\xa2   Known security weaknesses are not being reported on the agency\xe2\x80\x99s plans of action\n            and milestones (POA&M).\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA. A\n     consolidated list of recommendations appears on page 33 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference with the agency held on September 26, 2006, the agency provided\n     informal written comments and generally agreed with the report recommendations.\n     Where appropriate, the OIG modified the report in response to these comments. On\n     September 28, 2006, the agency provided formal written comments, which can be found\n     in Appendix D.\n\n\n\n\n                                            iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                      Independent Evaluation of\n                                                       NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nCarson Associates   Richard S. Carson and Associates, Inc.\nCIO                 Chief Information Officer\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nIT                  Information Technology\nLAN/WAN             Local Area Network/Wide Area Network\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nOIG                 Office of the Inspector General\nOMB                 Office of Management and Budget\nPOA&M               Plan of Action and Milestones\nSP                  Special Publication\nUS-CERT             United States Computer Emergency Readiness Team\n\n\n\n\n                                          v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                 Independent Evaluation of\n                                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n2 Purpose .................................................................................................................... 1\n3 Findings.................................................................................................................... 1\n  3.1 Total Number of Agency and Contractor Systems....................................... 4\n  3.2 Agency Performance of FISMA Activities ..................................................... 8\n       3.2.1 Certification and Accreditation............................................................................8\n       3.2.2 Security Control Test and Evaluation ..................................................................9\n       3.2.3 Contingency Planning and Testing ....................................................................11\n  3.3 Oversight of Information Systems Used or Operated by Contractors or\n       Other Organizations...................................................................................... 13\n  3.4 Information Systems Inventory.................................................................... 14\n  3.5 E-Authentication Risk Assessments ........................................................... 16\n  3.6 POA&M Process ............................................................................................ 17\n  3.7 Certification and Accreditation Process ..................................................... 21\n  3.8 Security Configuration Policy ...................................................................... 27\n  3.9 Incident Detection and Handling Procedures ............................................. 29\n  3.10 Security Awareness and Training................................................................ 30\n4 Consolidated List of Recommendations ............................................................. 33\n5 OIG Response to Agency Comments .................................................................. 34\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ............................................................... 35\n    Appendix B: Status of Contingency Plan Testing ............................................ 37\n    Appendix C: FY 2006 OMB FISMA Reporting Template for Agency\n                Inspectors General and Additional Narrative .............................. 41\n    Appendix D: Formal Agency Comments ........................................................... 51\n\n\n\n\n                                                              vii\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nList of Tables\n\n   Table 3-1. Total Number of Agency Systems by FIPS 199 Risk Impact\n              Level....................................................................................................... 4\n   Table 3-2. Total Number of Contractor Systems by FIPS 199 Risk Impact\n              Level....................................................................................................... 5\n   Table 3-3. Number of Systems Certified and Accredited by FIPS 199 Risk\n              Impact Level .......................................................................................... 8\n   Table 3-4. Number of Systems With Tested and Evaluated Security\n              Controls by FIPS 199 Risk Impact Level ........................................... 10\n   Table 3-5. Number of Systems With Tested Contingency Plans by FIPS 199\n              Risk Impact Level................................................................................ 11\n   Table 3-6. Program Level POA&Ms Statistics .................................................... 19\n   Table 3-7. System Level POA&Ms Statistics ...................................................... 19\n   Table 3-8. Summary of FY 2006 POA&Ms Through the 3rd Quarter.................. 19\n   Table B-1. Status of Contingency Plan Testing.................................................. 37\n\n\n\n\n                                                           viii\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.2 FISMA outlines the information security management requirements for agencies,\nwhich include an annual independent evaluation of the agency\xe2\x80\x99s information security program\nand practices to determine their effectiveness. This evaluation must include testing the\neffectiveness of information security policies, procedures, and practices for a representative\nsubset of the agency\xe2\x80\x99s information systems. FISMA requires the annual evaluation to be\nperformed by the agency\xe2\x80\x99s IG or by an independent external auditor.\n\nOMB memorandum M-06-20 requires the agency\xe2\x80\x99s IG to complete the OMB FISMA Reporting\nTemplate for Agency IGs. That template, along with any additional narrative the IG believes\nwould provide meaningful insight into the status of the agency\xe2\x80\x99s security or privacy program, is\nsubmitted to OMB as part of the agency\xe2\x80\x99s annual FISMA report.\n\nRichard S. Carson and Associates, Inc. (Carson Associates) performed an independent evaluation\nof NRC\xe2\x80\x99s implementation of FISMA for FY 2006. This report presents the results of that\nindependent evaluation. Carson Associates also prepared the OMB FISMA Reporting Template\nfor Agency IGs, along with additional narrative, for inclusion in the agency\xe2\x80\x99s annual FISMA\nreport. The OMB FISMA Reporting Template for Agency IGs and the additional narrative is\nincluded as Appendix C to this report.\n\nThis report reflects the status of the agency\xe2\x80\x99s information system security program as of the\ncompletion of fieldwork on August 31, 2006. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible.\n\n2          Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2006.\n\n3          Findings\n\nOver the past 4 years, NRC has continued to make improvements to its information system\nsecurity program, and continues to make progress in implementing the recommendations\nresulting from previous FISMA evaluations. To correct weaknesses identified by the FY 2005\nFISMA independent evaluation by the OIG, and to address findings from the agency\xe2\x80\x99s own\nevaluation, the agency has refocused its information system security program. Under the\nrefocused program, the agency will first perform certification and accreditation for systems that\nare a high priority from a mission perspective and others that potentially pose a higher security\nrisk (e.g., agency systems that communicate with systems outside the NRC network). The\nsecurity certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\n\n2\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n\n                                                         1\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nprocess required by FISMA. Section 3.7 provides an in-depth discussion of certification and\naccreditation and its significance to an agency\xe2\x80\x99s information security program.\n\nThe first phase of the refocused program included the development of a comprehensive\ncertification and accreditation process, which is not yet finalized. The agency developed\ntemplates for all certification and accreditation documents and instructions for completing the\ntemplates. The updated certification and accreditation process was also integrated into the\nagency\xe2\x80\x99s new project management methodology. One of the agency\xe2\x80\x99s operational major\napplications was chosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new process and documentation standards, in part, to\nensure the new process is repeatable.\n\nThe agency has also accomplished the following since the FY 2005 FISMA independent\nevaluation:\n\n   \xe2\x80\xa2   The agency completed annual self-assessments for all but 1 of the agency\xe2\x80\x99s 30\n       operational systems, for the four NRC regional offices and the Technical Training Center,\n       and for 4 of 12 contractor systems.\n   \xe2\x80\xa2   The agency updated security plans for 3 of the agency\xe2\x80\x99s 30 operational systems.\n       Subsequent to the completion of fieldwork, the agency provided an updated security plan\n       for another system.\n   \xe2\x80\xa2   The agency completed updated risk assessments for 3 of the agency\xe2\x80\x99s 30 operational\n       systems. Subsequent to the completion of fieldwork, the agency provided an updated risk\n       assessment for another system.\n   \xe2\x80\xa2   The agency developed an approach for consolidation of NRC information systems\n       inventory systems. According to the agency, the reconciliation and consolidation of data\n       from the existing information systems inventory systems is approximately 95 percent\n       complete.\n\nThe refocused program has not resulted in the completion of a single certification and\naccreditation despite the (1) emphasis on the certification and accreditation of high priority\nsystems and systems with a higher security risk and (2) application of at least $500,000 in\nfunding to this initiative since December 2005. In the meantime, the certifications and\naccreditations for all but one of the agency\xe2\x80\x99s operational systems have expired.\n\nThe following significant deficiencies were identified in NRC\xe2\x80\x99s information system security\nprogram.\n\n   \xe2\x80\xa2   Only 1 of the 30 operational NRC information systems has a current certification and\n       accreditation, and only 4 of the 12 systems used or operated by a contractor or other\n       organization on behalf of the agency have a current certification and accreditation. The\n       certification and accreditation for the one agency system that was current during the\n       evaluation expires in October 2006.\n   \xe2\x80\xa2   Annual contingency plan testing is not being performed.\n\n\n\n\n                                                 2\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nThe independent evaluation also identified eight information system security program\nweaknesses. Five are repeat findings from the FY 2005 FISMA independent evaluation, and\nthree are new.\n\n   \xe2\x80\xa2   The majority of NRC systems have not been categorized in accordance with Federal\n       Information Processing Standards (FIPS) Publication 199, Standards for Security\n       Categorization of Federal Information and Information Systems (repeat finding).\n   \xe2\x80\xa2   Different approaches for the security categorization of general support systems result in\n       confusion over responsibility for implementing security controls for high-impact systems\n       (new finding).\n   \xe2\x80\xa2   The agency does not maintain documentation (certification and accreditation memoranda,\n       self-assessments, and copies of annual contingency plan testing results) that demonstrates\n       systems provided by other Federal agencies meet FISMA requirements (repeat finding).\n   \xe2\x80\xa2   Oversight of major applications and general support systems operated by a contractor or\n       other organization on behalf of the agency is lacking (repeat finding).\n   \xe2\x80\xa2   The Network Continuity of Operations listed system is incorrectly categorized (new\n       finding).\n   \xe2\x80\xa2   E-authentication risk assessments have been completed for only 10 of the agency\xe2\x80\x99s 30\n       operational systems as required by OMB memorandum M-04-04, E-Authentication\n       Guidance for Federal Agencies (repeat finding).\n   \xe2\x80\xa2   Known security weaknesses are not being reported on the POA&Ms (new finding).\n   \xe2\x80\xa2   The agency lacks policies and procedures for ensuring employees with significant\n       information technology (IT) security responsibilities receive security training (repeat\n       finding).\n\nThe following sections present the detailed findings from the independent evaluation. As stated\npreviously, some findings are new, and some are repeat findings from the previous FISMA\nindependent evaluation. Only new findings will have a corresponding recommendation. The\nfollowing sections are organized based on the OMB FISMA Reporting Template for Agency\nIGs, which can be found in Appendix C. Each major section corresponds to a question or set of\nquestions from the template.\n\n\n\n\n                                               3\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n3.1       Total Number of Agency and Contractor Systems\n\nAgency Systems\n\n                               OMB Requirement                                              OIG Response\n    1. As required in FISMA, the IG shall evaluate a representative                   See Table 3-1 below.\n    subset of systems, including information systems used or operated\n    by an agency or by a contractor of an agency or other\n    organization on behalf of an agency. By FIPS 199 risk impact\n    level (high, moderate, low, or not categorized) and by bureau,\n    identify the number of systems reviewed in this evaluation for each\n    classification below (a., b., and c.).\n    1.a. Agency Systems.\n\n          Table 3-1. Total Number of Agency Systems by FIPS 199 Risk Impact Level\n                                FIPS 199 Risk             Total             Number\n                                Impact Level             Number            Reviewed\n                                      High                    3                 0\n                                   Moderate                   8                 0\n                                      Low                     0                 0\n                               Not Categorized                19                0\n                                      Total                   30                0\n\nNRC has a total of 303 operational systems that fall under FISMA reporting requirements.4 Of\nthe 30, 17 are general support systems,5 and 13 are major applications.6 As required by FISMA,\nthe NRC OIG selected a subset of NRC systems for evaluation during the FY 2006 FISMA\nindependent evaluation. However, during the course of fieldwork, the OIG learned that the re-\ncertification and re-accreditation of these systems, scheduled to be completed by August 2006,\nwould not be completed during the FY 2006 FISMA reporting period. Furthermore, there were\nno other systems to evaluate because there were only two operational systems with a current\ncertification and accreditation at the time the OIG was selecting systems for evaluation. One of\nthese systems was evaluated by the OIG in FY 2006 and the other system\xe2\x80\x99s certification and\naccreditation expired during the FY 2006 FISMA reporting period. Without enough systems\n\n\n3\n  The agency reports 31 operational systems. The OIG disagrees with the agency that an OIG system is a major\n  application. It has been categorized as a listed system since it began operations in 2004. This designation is\n  presently under a detailed review. Therefore, the metrics in this report reflect a total of 30 operational systems.\n4\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n5\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n6\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n\n                                                          4\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nwith current certifications and accreditations, Carson Associates could not perform an evaluation\nof a representative subset of agency systems for the FY 2006 FISMA independent evaluation.\n\nA current certification and accreditation is needed to perform a system evaluation because it\ncontains a description of the current planned and in place security controls for a system. This\ninformation is found in the system\xe2\x80\x99s security plan, which is a part of a system\xe2\x80\x99s certification and\naccreditation package. An understanding of whether the in place security controls are operating\nas intended, as well as any risk associated with operating the system with the described security\ncontrols, is also necessary for performing a system evaluation. This information is also found in\nthe system\xe2\x80\x99s certification and accreditation package.\n\nContractor Systems\n\n                          OMB Requirement                                       OIG Response\n 1. As required in FISMA, the IG shall evaluate a representative         See Table 3-2 below.\n subset of systems, including information systems used or operated\n by an agency or by a contractor of an agency or other\n organization on behalf of an agency. By FIPS 199 risk impact\n level (high, moderate, low, or not categorized) and by bureau,\n identify the number of systems reviewed in this evaluation for each\n classification below (a., b., and c.).\n 1.b. Contractor Systems.\n\n      Table 3-2. Total Number of Contractor Systems by FIPS 199 Risk Impact Level\n                           FIPS 199 Risk         Total          Number\n                           Impact Level         Number         Reviewed\n                                High                 0             0\n                             Moderate                0             0\n                                Low                  1             0\n                          Not Categorized            11            0\n                                Total                12            0\n\nNRC has a total of 12 systems operated by a contractor or other organization on behalf of the\nagency (8 major applications and 4 general support systems). Of the 12, 7 are operated by other\nFederal agencies, 2 are operated by federally funded research and development centers, and 3 are\noperated by private contractors. Carson Associates selected 1 of the 12 systems operated by a\ncontractor or other organization on behalf of the agency for evaluation during the FY 2006\nFISMA independent evaluation. However, that system did not have a current certification and\naccreditation and there was not sufficient information available to perform an evaluation.\n\n\n\n\n                                                 5\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nFINDING A \xe2\x80\x93 Majority of NRC Systems Have Not Been Categorized in Accordance With\nFIPS 199 (Repeat Finding)\n\nFIPS 199 requires all agencies to categorize their information and information systems. The\nsecurity categories are based on the potential impact on an organization should certain events\noccur which jeopardize the information and information systems needed by the organization to\naccomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its\nday-to-day functions, and protect individuals. All systems should have been categorized using\nFIPS 199 by February 2005.\n\nHowever, despite this requirement, Carson Associates found that the majority of NRC\ninformation systems, including systems operated by a contractor or other organization on behalf\nof the agency, still have not been categorized in accordance with FIPS 199. Specifically, only 11\nof the 30 operational NRC information systems have been categorized. Only 1 of the 12\ncontractor systems has been categorized.7\n\nThis is a repeat finding from the FY 2005 FISMA independent evaluation. Of the eight security\ncategorizations evaluated in FY 2005 (1) four were updated in FY 2006, (2) three are being\nrevised as part of the re-certification and re-accreditation of their respective systems (two are\ncomplete, but have not been approved), and (3) one is for a system that has been combined with\nanother system. In FY 2006, the agency completed another seven security categorizations for\nNRC systems, and one for a contractor system. According to the agency, the current target date\nfor completing all system security categorizations is the end of calendar year 2006.\n\nNot only is security categorization required by FIPS 199, it is needed to select the minimum\nsecurity controls for a system as defined in NIST Special Publication (SP) 800-53,\nRecommended Security Controls for Federal Information Systems. As a result, the agency\ncannot determine the appropriate minimum security controls for its information systems and\ncannot determine whether the current controls for the information systems are adequate. In\naddition, the agency cannot be assured they are using the correct minimum security control\nbaseline from NIST SP 800-53 when performing its annual self-assessments.\n\nFINDING B \xe2\x80\x93 Different Approaches for the Security Categorization of General Support\nSystems Result in Confusion Over Responsibility for Implementing Security Controls for\nHigh-Impact Systems (New Finding)\n\nFIPS 199 states that for an information system, the potential impact values assigned to the\nrespective security objectives (confidentiality, integrity, availability) shall be the highest values\nfrom among those security categories that have been determined for each type of information\nresident on the information system. NIST SP 800-18, Revision 1, Guide for Developing Security\nPlans for Federal Information Systems, states that a general support system can have a FIPS 199\nimpact level of low, moderate, or high in its security categorization depending on the criticality\nor sensitivity of the system and any major applications the general support system is supporting.\n\n7\n    The agency has reported that an additional four agency systems have been categorized. However security\n    categorizations for these systems are still under review by the agency or were not approved. Therefore, these\n    systems are not included in the metrics.\n\n\n\n                                                            6\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\nThe agency has categorized one of its general support systems as a high-impact system. The\nagency has categorized another general support system as a moderate-impact system. While the\nmajority of the systems supported by the first general support system are categorized as low or\nmoderate, there are a few systems supported by that general support system that are categorized\nas high. For this reason, this general support system was divided into two subsystems: a general\nsupport system for moderate-impact systems and a general support system for high-impact\nsystems. This approach is consistent with NIST guidance.\n\nIn order to function in a cost-effective manner suitable for most NRC systems, the other general\nsupport system will only process information at a moderate level. Thus, the rational for the\nmoderate-impact security categorization for that system. It is incumbent upon high-impact\nsystems that rely on moderate-impact general support systems to implement the additional\ncontrols required by a high-impact categorization. This approach, also consistent with NIST\nguidance, is often used when an agency has only a few high-impact systems and it would be\nmore cost-effective for the systems with the high-impact security categorization to implement the\nadditional controls. However, this approach is not consistent with the approach taken with the\nfirst general support system, resulting in confusion as to who is responsible for implementing the\nadditional controls.\n\nAs a result of the different approaches taken when categorizing general support systems, system\nowners may assume that a general support system is providing controls commensurate with their\nsystem\xe2\x80\x99s impact level, when in fact the general support system does not. This possible scenario\nis illustrated in two of the FY 2006 self-assessments for systems that have been categorized as\nhigh-impact systems.8 The security control SI-3, malicious code protection, includes one\nenhancement at the moderate-impact level, and an additional enhancement at the high-impact\nlevel. Both self-assessments reflect the system owners\xe2\x80\x99 belief that the second enhancement is\nimplemented at the agency-level, and not by the system. One of the two self-assessments\nspecifically states that this enhancement is \xe2\x80\x9cinherited\xe2\x80\x9d from the moderate-impact general support\nsystem described above, as well as from two other general support systems. However, the self-\nassessments for those general support systems do not address the second enhancement as the\nsystems were only categorized as moderate-impact systems.\n\nTherefore, it is imperative that the agency clearly identify those additional controls that high-\nimpact systems would not \xe2\x80\x9cinherit\xe2\x80\x9d from underlying general support systems that have a\nmoderate-impact categorization. It is also imperative that system owners of high-impact systems\nunderstand that they are responsible for implementing those additional controls.\n\n\n\n\n8\n    Only one of the security categorizations for the two systems whose self-assessments are discussed in the example\n    has been approved by the agency. The self-assessment for the other system was based on a high-impact security\n    categorization.\n\n\n\n                                                           7\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Clearly identify the additional controls that are the responsibility of a high-impact system\n         when a general support system categorized as having moderate-impact supports a high-\n         impact system.\n\n3.2      Agency Performance of FISMA Activities\n\n3.2.1 Certification and Accreditation\n\n                            OMB Requirement                                       OIG Response\n 2. For each part of this question, identify actual performance over       See Table 3-3 below.\n the past fiscal year by risk impact level and bureau, in the format\n provided below. From the representative subset of systems\n evaluated, identify the number of systems which have completed\n the following: have a current certification and accreditation, a\n contingency plan tested within the past year, and security controls\n tested within the past year.\n 2.a. Number of systems certified and accredited.\n\n Table 3-3. Number of Systems Certified and Accredited by FIPS 199 Risk Impact Level\n                     FIPS 199 Risk\n                                           Agency       Contractor          Total\n                     Impact Level\n                          High                0              0                0\n                        Moderate              0              0                0\n                          Low                 0              0                0\n                    Not Categorized           1              4                5\n                          Total               1              4                5\n\nAgency Systems\n\nOnly 1 of the 30 operational NRC information systems has a current certification and\naccreditation. The certification and accreditation for this system will expire in October 2006.\nSection 3.7 of this report discusses the assessment of the agency\xe2\x80\x99s certification and accreditation\nprocess in detail.\n\nContractor Systems\n\nOf the 12 systems operated by a contractor or other organization on behalf of the agency, only 4\nhave been certified and accredited. These four systems are operated by other Federal agencies.\nOf the remaining eight, three are operated by other Federal agencies, two are operated by\nfederally funded research and development centers, and three are operated by private contractors.\n\n\n                                                    8\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nThe FY 2005 FISMA independent evaluation found that the agency does not maintain\ndocumentation that demonstrates systems provided by other Federal agencies meet FISMA\nrequirements and that oversight for other contractor systems is lacking. Section 3.3 of this report\ndiscusses the assessment of the agency\xe2\x80\x99s oversight of information systems used or operated by a\ncontractor or other organization on behalf of the agency. Section 3.3 also discusses the current\nstatus of recommendations from the FY 2005 FISMA independent evaluation regarding these\nfindings.\n\nFINDING C \xe2\x80\x93 The Majority of NRC Systems Are Not Certified and Accredited (Significant\nDeficiency)\n\nOMB defines a significant deficiency as \xe2\x80\x9ca weakness in an agency\xe2\x80\x99s overall information systems\nsecurity program or management control structure, or within one or more information systems\nthat significantly restricts the capability of the agency to carry out its mission or compromises\nthe security of its information, information systems, personnel, or other resources, operations, or\nassets.\xe2\x80\x9d OMB Circular A-130, Management of Federal Resources, Appendix III, Security of\nFederal Automated Information Resources, provides three specific examples of a significant\ndeficiency, each of which must be reported as such \xe2\x80\x93 (1) the failure to assign responsibility for\nsecurity of the system or application, (2) the lack of a system security plan, and (3) the absence\nof authorization to process (certification and accreditation).\n\nIn accordance with OMB requirements, the fact that only 1 of the 30 operational NRC\ninformation systems has a current certification and accreditation, and that only 4 of the 12\nsystems used or operated by a contractor or other organization on behalf of the agency have a\ncurrent certification and accreditation, constitutes a significant deficiency. This deficiency is not\na recent problem. The agency has made little progress in correcting the deficiency, and\naccording to the agency, completion of all outstanding certifications and accreditations is not\nexpected to be completed until 2009.\n\n3.2.2 Security Control Test and Evaluation\n\n                          OMB Requirement                                       OIG Response\n 2. For each part of this question, identify actual performance over     See Table 3-4 below.\n the past fiscal year by risk impact level and bureau, in the format\n provided below. From the representative subset of systems\n evaluated, identify the number of systems which have completed\n the following: have a current certification and accreditation, a\n contingency plan tested within the past year, and security controls\n tested within the past year.\n 2.b. Number of systems for which security controls have been\n tested and evaluated in the last year.\n\n\n\n\n                                                  9\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nTable 3-4. Number of Systems With Tested and Evaluated Security Controls by FIPS 199\n                                 Risk Impact Level\n                         FIPS 199 Risk\n                                                  Agency          Contractor           Total\n                         Impact Level\n                              High                    3                0                 3\n                            Moderate                  8                0                 8\n                               Low                    0                1                 1\n                        Not Categorized              18                3                21\n                              Total                  29                4                33\n\nAgency Systems\n\nFISMA requires agencies to test and evaluate the security controls of every information system\nidentified in their inventory no less than annually. The necessary depth and breadth of an annual\nsystem review depends on several factors such as (1) the potential risk and magnitude of harm to\nthe system or data, (2) the relative comprehensiveness of the most recent past review, and (3) the\nadequacy and successful implementation of the POA&M for weaknesses in the system. For\nexample, if last year a system underwent a complete certification and accreditation, this year a\nrelatively simple update or maintenance review may be sufficient, provided it has been\nadequately documented. The FY 2006 FISMA guidance allows agencies to use either (1) NIST\nSP 800-26, Security Self-Assessment Guide for Information Technology Systems, or (2) FIPS\n200, Minimum Security Requirements for Federal Information and Information Systems, and\nNIST SP 800-53 for the specification and assessment of security controls for Federal information\nsystems.\n\nNRC meets the FISMA requirement to test and evaluate the security controls of agency\ninformation systems by performing annual self-assessments on the systems. In addition, NRC\ndeveloped a self-assessment for common controls that are applicable to all NRC systems. NRC\nperformed self-assessments on all agency operational systems with the exception of one general\nsupport system. NRC also performed self-assessments on the four NRC regional offices and the\nNRC Technical Training Center.9\n\nContractor Systems\n\nNRC performed self-assessments on 4 of the 12 systems operated by a contractor or other\norganization on behalf of the agency. Of the four, two were full self-assessments, and two were\nsite assessments. The remaining 8 systems operated by a contractor or other organization on\nbehalf of the agency are operated by other Federal agencies. As stated previously, the FY 2005\nFISMA independent evaluation found that the agency does not maintain documentation that\ndemonstrates systems provided by other Federal agencies meet FISMA requirements. Refer to\n\n\n9\n    The self-assessments for the regional offices and the Technical Training Center were only site assessments. As\n    such, only the physical and environmental, and personal security controls were evaluated as part of the site\n    assessment.\n\n\n\n                                                           10\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nSection 3.3 of this report for a discussion of the current status of recommendations from the FY\n2005 FISMA independent evaluation regarding these findings.\n\n3.2.3 Contingency Planning and Testing\n\n                                 OMB Requirement                                            OIG Response\n 2. For each part of this question, identify actual performance over                 See Table 3-5 below.\n the past fiscal year by risk impact level and bureau, in the format\n provided below. From the representative subset of systems\n evaluated, identify the number of systems which have completed\n the following: have a current certification and accreditation, a\n contingency plan tested within the past year, and security controls\n tested within the past year.\n 2.c. Number of systems for which contingency plans have been\n tested in accordance with policy and guidance.\n\n Table 3-5. Number of Systems With Tested Contingency Plans by FIPS 199 Risk Impact\n                                       Level\n                         FIPS 199 Risk\n                                                  Agency         Contractor           Total\n                         Impact Level\n                               High                  0                 0                0\n                            Moderate                 3                 0                3\n                               Low                   0                 1                1\n                        Not Categorized              0                 0                0\n                              Total                  3                 1                4\n\nAgency Systems\n\nNIST SP 800-34, Contingency Planning Guide for Information Technology Systems, states that\ncontingency plans should be tested at least annually and when significant changes are made to\nthe information system, supported business process(s), or the contingency plan. As of September\n1, 2006, Carson Associates had received contingency plan testing results for only 1 of NRC\xe2\x80\x99s 30\noperational information systems. Subsequent to the completion of fieldwork, the agency\nprovided contingency plan testing results for three additional systems, however the agency has\nonly reviewed and approved the results for two of the additional systems.\n\nContractor Systems\n\nOf the 12 systems operated by a contractor or other organization on behalf of the agency, only 1\nhas had its contingency plan tested in the past year.10 As stated previously, the FY 2005 FISMA\nindependent evaluation found that the agency does not maintain documentation that\n\n10\n     Documentation supporting the contingency plan testing for this system was also provided subsequent to the\n     completion of fieldwork.\n\n\n\n                                                           11\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\ndemonstrates systems provided by other Federal agencies meet FISMA requirements. Refer to\nSection 3.3 of this report for a discussion of the current status of recommendations from the FY\n2005 FISMA independent evaluation regarding these findings.\n\nFINDING D \xe2\x80\x93 Annual Contingency Plan Testing Is Not Being Performed (Significant\nDeficiency)\n\nAs stated previously, NIST SP 800-34 states that contingency plans should be tested at least\nannually. However, despite this requirement, Carson Associates found that only 3 of the\nagency\xe2\x80\x99s 30 operational information systems, and 1 of the agency\xe2\x80\x99s contractor systems, have had\ntheir contingency plans tested in FY 2006.\n\nThis is a repeat finding from the FY 2005 FISMA independent evaluation. The OIG\nrecommended that the agency develop and implement procedures to ensure contingency plans\nare tested annually, regardless of the status of a system\xe2\x80\x99s certification and accreditation.\nAccording to the agency, resources have not been available to support completion of annual\ncontingency plan testing (including test reporting and contingency plan update). According to\nthe agency, the current target date for completing contingency plan testing for all agency systems\nis August 1, 2007. However, the 3rd Quarter FY 2006 POA&Ms submitted to OMB have\nprojected completion dates for contingency plan testing as late as December 2008.\n\nThe following is a summary of the status of contingency plan testing for the 30 operational NRC\nsystems:\n\n   \xe2\x80\xa2   Five systems have never had their contingency plans tested.\n   \xe2\x80\xa2   Two systems have never had their contingency plans tested, as they are new general\n       support systems identified when the NRC local area network/wide area network\n       (LAN/WAN) was divided into several general support systems. There is insufficient\n       documentation to determine whether these systems were covered by previous LAN/WAN\n       contingency plan tests.\n   \xe2\x80\xa2   One system has not had its contingency plan tested in over 3 years.\n   \xe2\x80\xa2   Fifteen systems have not had their contingency plans tested in over 2 years. Many of\n       these systems are general support systems that were identified when the LAN/WAN was\n       divided into several general support systems. There is insufficient documentation to\n       determine whether these systems were fully covered by previous LAN/WAN contingency\n       plan tests.\n   \xe2\x80\xa2   Two systems had their contingency plans tested in 2005.\n   \xe2\x80\xa2   Five systems had their contingency plans tested in 2006 (two are still under agency\n       review).\n\nSee Appendix B for details on the status of contingency plan testing for all agency operational\nsystems, as well as for one contractor system.\n\nAs stated previously, OMB defines a significant deficiency as \xe2\x80\x9ca weakness in an agency\xe2\x80\x99s\noverall information systems security program or management control structure, or within one or\n\n\n\n                                                12\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nmore information systems that significantly restricts the capability of the agency to carry out its\nmission or compromises the security of its information, information systems, personnel, or other\nresources, operations, or assets.\xe2\x80\x9d\n\nFISMA defines eight primary components of an agency\xe2\x80\x99s information system security program,\nincluding (1) annual testing of management, operational, and technical controls of every\ninformation system identified in the agency\xe2\x80\x99s inventory, and (2) plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and assets of the\nagency.\n\nThe testing of contingency plans is a key element of the two information system security\nprogram components described above. It is essential in determining whether plans will function\nas intended in an emergency situation. Without testing, the agency has limited assurance that it\nwill be able to recover mission-critical applications, business processes, and information in the\nevent of an unexpected interruption. Even a minor interruption could result in lost or incorrectly\nprocessed data if the contingency plan has not been tested.\n\nIn accordance with OMB requirements, the fact that the agency has failed to conduct annual\ncontingency plan testing for the past two years constitutes a significant deficiency. This\ndeficiency is not a recent problem and the agency has made little progress in correcting the\ndeficiency. According to the agency, completion of all contingency plan testing is not\nanticipated for at least another year.\n\n3.3         Oversight of Information Systems Used or Operated by Contractors or\n            Other Organizations\n\n                                   OMB Requirement                                              OIG Response\n 3.a. The agency performs oversight and evaluation to ensure                              Mostly, for example,\n information systems used or operated by a contractor of the agency                       approximately 81-95%\n or other organization on behalf of the agency meet the requirements                      of the time\n of FISMA, OMB policy and NIST guidelines, national security\n policy, and agency policy. Self-reporting of NIST Special\n Publication 800-26and/or NIST 800-53 requirements by a\n contractor or other organization is not sufficient, however, self-\n reporting by another Federal agency may be sufficient.\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency and (2) information systems used or operated by an agency or other organization on\nbehalf of an agency.11\n\n\n\n11\n      Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n     refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n\n                                                             13\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nFINDING E \xe2\x80\x93 Agency Does Not Maintain Documentation That Demonstrates Systems\nProvided By Other Federal Agencies Meet FISMA Requirements (Repeat Finding)\n\nThe FY 2005 FISMA independent evaluation found that the agency does not maintain\ndocumentation that demonstrates systems provided by other Federal agencies meet FISMA\nrequirements. The OIG made three recommendations to address this finding. According to the\nagency, the scheduled completion date for these recommendations was August 31, 2006.\n\nAs of September 1, 2006, the agency had received certification and accreditation memoranda for\nfour of the seven systems provided by Federal agencies. The agency has been working with the\noffices to assist in acquiring the required documentation for the remaining Federal systems.\nHowever, according to the agency, some of the other Federal agencies have been unwilling to\nprovide documentation that demonstrates they meet FISMA requirements. The other Federal\nagencies have also been unwilling to share copies of their annual self-assessments or results from\ntheir annual contingency plan testing. In a follow-up memorandum to the agency regarding the\nstatus of these recommendations, the OIG suggested a possible solution to the problem. The\nOIG stated that a memorandum from the Federal agencies stating that annual self-assessments\nand annual contingency plan testing have been completed will be sufficient to meet the intent of\nthe recommendations. The agency is currently working towards obtaining such memoranda.\n\nFINDING F \xe2\x80\x93 Oversight of Other Contractor Systems Is Lacking (Repeat Finding)\n\nThe FY 2005 FISMA independent evaluation also found that oversight of other contractor\nsystems is lacking. The OIG made one recommendation to address this finding. According to\nthe agency, the scheduled completion date for this recommendation is December 29, 2006.\n\nThe agency recently learned that development systems are connected to the NRC operational\nenvironment via a general support system operated by a contractor, resulting in significant risk to\nthe infrastructure. This recent development illustrates the need to develop policies and\nprocedures for performing oversight of contractor systems as soon as possible.\n\n3.4    Information Systems Inventory\n\n                          OMB Requirement                                       OIG Response\n 3.b.1. The agency has developed an inventory of major information        Approximately 51-70%\n systems (including major national security systems) operated by or       complete\n under the control of such agency, including an identification of the\n interfaces between each such system and all other systems or\n networks, including those not operated by or under the control of\n the agency.\n 3.b.2. If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as      Missing: Network\n 96-100% complete, please list the systems that are missing from the      Continuity of\n inventory.                                                               Operations\n 3.c. The OIG generally agrees with the Chief Information Officer         Yes\n (CIO) on the number of agency owned systems.\n\n\n\n                                                14\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n                          OMB Requirement                                        OIG Response\n 3.d. The OIG generally agrees with the CIO on the number of               Yes\n information systems used or operated by a contractor of the agency\n or other organization on behalf of the agency.\n 3.e. The agency inventory is maintained and updated at least              Yes\n annually.\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory must be updated at least annually\nand must also be used to support information resources management.\n\nWhile FISMA requires agencies to maintain an inventory of only major information systems\n(major applications and general support systems), NRC also tracks two other system types in its\ninventories \xe2\x80\x93 Listed and Other.\n\n   \xe2\x80\xa2   Listed \xe2\x80\x93 a computerized information system or application that (1) processes sensitive\n       information requiring additional security protections and (2) may be important to an NRC\n       office\xe2\x80\x99s or region\xe2\x80\x99s operations, but which is not a major application or general support\n       system when viewed from an agency perspective. Sensitive data may include individual\n       Privacy Act information, law enforcement sensitive information, sensitive contractual\n       and financial information, safeguards, and classified information.\n   \xe2\x80\xa2   Other \xe2\x80\x93 an NRC system that does not require additional security protections and is\n       adequately protected by the security provided by the NRC LAN/WAN.\n\nThe FY 2005 FISMA independent evaluation found that the agency\xe2\x80\x99s inventory was only 51-70\npercent completed because (1) information in the agency\xe2\x80\x99s two inventory systems was inaccurate\nand inconsistent and (2) only one of the two inventory systems contained information on system\ninterfaces. In FY 2005, Carson Associates generally agreed with the CIO on the number of\nagency owned major applications and general support systems, but did not agree with the CIO on\nthe number of agency owned systems in the listed and other categories. Carson Associates also\nfound that the agency\xe2\x80\x99s inventory was not maintained and updated at least annually.\n\nIn FY 2006, Carson Associates again generally agreed with the CIO on the number of agency\nowned major applications and general support systems. However, Carson Associates could not\nfully evaluate the following questions from the OMB FISMA Reporting Template for Agency\nIGs, as the agency had not completed the recommendations resulting from the FY 2005 FISMA\nindependent evaluation regarding problems with the inventory.\n\n   \xe2\x80\xa2   Does the inventory include information on system interfaces? (2nd part of 3.b.1)\n   \xe2\x80\xa2   Does the OIG generally agree on the number of agency owned systems? (3.c)\n   \xe2\x80\xa2   Is the inventory maintained and updated at least annually? (3.e)\n\n\n\n\n                                               15\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nIn response to the FY 2005 findings regarding the inventory, the agency developed an approach\nfor consolidation of the agency\xe2\x80\x99s inventory systems. According to the agency, the reconciliation\nand consolidation of the two inventories evaluated in FY 2005 is approximately 95 percent\ncomplete. The agency is continuing to work to resolve inaccuracies in the existing inventories,\nand has estimated that the inventories will be reconciled and ready for upload into the new NRC\nSystems Inventory and Configuration Database by July 30, 2006. However, as of September 1,\n2006, the agency had not demonstrated that the reconciliation has been completed.\n\nFINDING G \xe2\x80\x93 The Network Continuity of Operations Listed System Is Incorrectly\nCategorized (New Finding)\n\nOMB memorandum M-06-20 provides examples of high-impact systems. The memorandum\nstates that all systems identified as \xe2\x80\x9cnecessary to support agency continuity of operations\xe2\x80\x9d are\nhigh-impact systems. These systems would include, for example, telecommunications systems\nidentified in agency reviews under OMB\xe2\x80\x99s June 30, 2005, memorandum M-05-16, Regulation on\nMaintaining Telecommunications Service During Crisis or Emergency in Federally-owned\nBuildings.\n\nThe agency\xe2\x80\x99s Network Continuity of Operations system is currently categorized as a listed\nsystem. In accordance with OMB guidance, the Network Continuity of Operations system is a\nhigh-impact system, and therefore should be categorized as a general support system, and not a\nlisted system.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      2. Re-categorize the Network Continuity of Operations system as a general support system.\n\n3.5      E-Authentication Risk Assessments\n\n                            OMB Requirement                                     OIG Response\n 3.f. The agency has completed system e-authentication risk               No\n assessments.\n\nIn December 2003, OMB issued memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies. The guidance applies to remote authentication of human users of Federal agency\ninformation technology systems for the purposes of conducting Government business\nelectronically (or e-Government). Remote authentication occurs when users identify and\nauthenticate to information systems from outside of a specified security perimeter that is\nconsidered to offer sufficient protection. Performing an e-authentication risk assessment can\nalso assist agencies in determining the appropriate identification and authentication controls for\ntheir systems. In addition, the e-authentication initiative is the first reusable component of the\nFederal Enterprise Architecture, the second e-Government cross cutting initiative. Part of the\nFederal Enterprise Architecture plan is that the vast majority of Federal systems incorporating\nauthentication functions should migrate to support e-authentication over time.\n\n\n\n                                                16\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\nFINDING H \xe2\x80\x93 E-Authentication Risk Assessments Have Not Been Completed (Repeat\nFinding)\n\nThe FY 2005 FISMA independent evaluation found that e-authentication risk assessments had\nbeen completed for only 6 of the agency\xe2\x80\x99s 27 operational systems.12 In FY 2005, Carson\nAssociates reviewed the six completed e-authentication risk assessments and found them to be\nincorrect and inconsistent with the systems\xe2\x80\x99 FIPS 199 security categorizations. For example, in\nsome instances, the e-authentication assurance level was incorrectly determined based on the\nimpact levels assigned to the six categories of harm and impact defined in OMB memorandum\nM-04-04. In other instances, the impact levels assigned to the six categories of harm and impact\nwere not consistent with the FIPS 199 security categorizations of the systems. In FY 2005, the\nagency stated that e-authentication risk assessments would be \xe2\x80\x9csupported under the interim\nInformation Systems Security contract awarded August 11, 2005, and were expected to be\ncompleted by December 15, 2005.\xe2\x80\x9d\n\nHowever, as of September 1, 2006, the agency had only provided e-authentication risk\nassessments for 10 of the agency\xe2\x80\x99s 30 operational systems, and 1 of the agency\xe2\x80\x99s contractor\nsystems. According to the agency, the current target date for completing all outstanding e-\nauthentication risk assessments is July 30, 2007.\n\n3.6        POA&M Process\n\n                                 OMB Requirement                                           OIG Response\n 4.a. The POA&M is an agency wide process, incorporating all                         Almost Always, for\n known IT security weaknesses associated with information systems                    example,\n used or operated by the agency or by a contractor of the agency or                  approximately 96-\n other organization on behalf of the agency.                                         100% of the time\n 4.b. When an IT security weakness is identified, program officials                  Almost Always, for\n (including CIOs, if they own or operate a system) develop,                          example,\n implement, and manage POA&Ms for their system(s).                                   approximately 96-\n                                                                                     100% of the time\n 4.c. Program officials, including contractors, report to the CIO on a               Almost Always, for\n regular basis (at least quarterly) on their remediation progress.                   example,\n                                                                                     approximately 96-\n                                                                                     100% of the time\n 4.d. CIO centrally tracks, maintains, and reviews POA&M activities                  Almost Always, for\n on at least a quarterly basis.                                                      example,\n                                                                                     approximately 96-\n                                                                                     100% of the time\n\n\n\n\n12\n     In FY 2005, the agency had 27 operational systems. The agency now has 30 operational systems.\n\n\n\n                                                         17\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n                           OMB Requirement                                      OIG Response\n 4.e. OIG findings are incorporated into the POA&M process.               Almost Always, for\n                                                                          example,\n                                                                          approximately 96-\n                                                                          100% of the time\n 4.f. POA&M process prioritizes IT security weaknesses to help            Almost Always, for\n ensure significant IT security weaknesses are addressed in a timely      example,\n manner and receive appropriate resources.                                approximately 96-\n                                                                          100% of the time\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms submitted to OMB to track (1)\ncorrective actions from the OIG annual independent evaluation, (2) corrective actions from the\nagency\xe2\x80\x99s annual review, and (3) recurring FISMA and IT security action items such as annual\nself-assessments, and annual contingency plan testing. The POA&Ms may also include\ncorrective actions resulting from other security studies conducted by or on behalf of NRC.\n\nAt a more detailed level, NRC uses an internal system to track the progress of more specific\ncorrective actions. These include corrective actions resulting from activities associated with the\ncertification and accreditation process (e.g., risk assessment, security test and evaluation).\n\nThe agency has made minimal progress in correcting weaknesses reported on its POA&Ms. The\nagency has corrected 15 percent of its program level weaknesses, and 22.7 percent of its system\nlevel weaknesses. The majority of delays have been caused by delays in completing\ncertifications and accreditations, as described later in this report in Section 3.7.\n\nIn assessing the agency\xe2\x80\x99s POA&M process, Carson Associates also found that (1) the metrics\nsubmitted to OMB often deviated from the actual POA&Ms, (2) the agency is not always\nfollowing OMB\xe2\x80\x99s POA&M guidance, and (3) known security weaknesses are not being reported\non the POA&M.\n\nNRC Has Made Minimal Progress in Correcting Weaknesses Reported on Its POA&Ms\n\nThe agency carried over a total of 3 program level and 136 system level weaknesses from FY\n2005 into FY 2006. The following tables provide statistics from the three FY 2006 POA&Ms\nthe agency has submitted to OMB.\n\n\n\n\n                                                18\n\x0c                                                                                  Independent Evaluation of\n                                                                   NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n                           Table 3-6. Program Level POA&Ms Statistics\n                                                                                             # For Start\n               # At Start of\n    Quarter                          # New   # Completed    # On-going       # Delayed         of Next\n                 Quarter\n                                                                                              Quarter\n Q1                  3                10           0            10                3               13\n Q2                 13                 7           5            8                 7               15\n Q3                * 16               20           2            27                7               34\n** A weakness was reported as closed in Q2 in error and was reported correctly as delayed in\n   Q3.\n\n                               Table 3-7. System Level POA&Ms Statistics\n                                                                                             # For Start\n               # At Start of\n    Quarter                          # New    # Completed   # On-going       # Delayed         of Next\n                 Quarter\n                                                                                              Quarter\n Q1                 136               71          12           100               95              195\n Q2               * 194               34          17           107               104             211\n Q3                 211               14          37            43               145             188\n*     A weakness that was not IT related was removed from the POA&M.\n\nThe following table summarizes the total number of weaknesses included in the FY 2006\nPOA&Ms, the total number of corrective actions the agency has reported as completed, the total\nnumber of corrective actions that are still on-going, and the number of corrective actions whose\ncompletion has been delayed.\n\n               Table 3-8. Summary of FY 2006 POA&Ms Through the 3rd Quarter\n                            Total #           Total #        Total #         Total #            %\n                          Weaknesses         Completed      On-going         Delayed         Completed\n     Program Level              40             *7 (6)         27                 7              15 %\n     System Level               255          ** 66 (58)       43               145             22.7 %\n* One program level weakness was reported as closed in error\n** Eight system level weaknesses were reported as closed in error\n\nIt should be noted that the six program level corrective actions completed in FY 2006 were from\nprevious FISMA reports. However, of the 58 system level corrective actions completed in FY\n2006, only 3 were from previous FISMA reports. The following is a summary of the remaining\n55 system level corrective actions completed in FY 2006:\n\n      \xe2\x80\xa2   2 were reported as completed, but are considered not completed by OIG.\n      \xe2\x80\xa2   6 were reported as completed, but the documents related to the weakness have not been\n          reviewed by the agency, or were not approved by the agency.\n      \xe2\x80\xa2   5 were reported as completed due to a re-categorization of the system or because a\n          system was combined with another system.\n\n\n                                                       19\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n   \xe2\x80\xa2   14 of the completed corrective actions were action items to complete monthly status\n       reports required by interim approval to operate memoranda.\n   \xe2\x80\xa2   13 of the completed corrective actions were action items resulting from the agency\xe2\x80\x99s\n       annual security reviews (e.g., complete annual self-assessments, complete annual\n       contingency plan testing).\n   \xe2\x80\xa2   15 of the completed corrective actions were action items resulting from other OIG\n       reviews.\n\nMetrics Submitted to OMB Deviate From the Actual POA&Ms\n\nAs in FY 2005, Carson Associates found discrepancies between the metrics submitted to OMB\nand the actual POA&Ms. However, the discrepancies in the metrics are not significant enough\nto report as a weakness and are due, in part, to the large number of weaknesses being tracked on\nthe agency\xe2\x80\x99s POA&Ms.\n\nThe Agency Is Not Always Following OMB\xe2\x80\x99s POA&M Guidance\n\nAs stated previously, the agency is not always following OMB\xe2\x80\x99s POA&M guidance. The\nfollowing are some examples of deviations from OMB\xe2\x80\x99s POA&M guidance found on the FY\n2006 POA&Ms.\n\n   \xe2\x80\xa2   The agency reported five weaknesses from OIG reports as completed when the OIG still\n       considered the weaknesses as resolved. All but two have been subsequently closed by\n       the OIG.\n   \xe2\x80\xa2   The agency reported six weaknesses as completed when the agency had not reviewed\n       and/or approved supporting documentation. In one case, a document was actually not\n       accepted; therefore, the weakness was not actually completed.\n   \xe2\x80\xa2   The agency reported nine weaknesses as completed in error. Carson Associates could not\n       determine whether these errors were an oversight, or were because the agency is not\n       verifying that the weaknesses were actually completed.\n   \xe2\x80\xa2   Weaknesses with completion dates over a year old are not always removed from the\n       POA&Ms.\n\nWhile the agency is not always following OMB\xe2\x80\x99s POA&M guidance, the agency is using the\nPOA&Ms to track almost all known security weaknesses. Program officials report to the CIO on\na quarterly basis on their remediation process. In some cases, program officials are required to\nreport to the CIO on a monthly basis.\n\nFINDING I \xe2\x80\x93 Known Security Weaknesses Are Not Being Reported on the POA&Ms (New\nFinding)\n\nOMB guidance states that agency POA&Ms must reflect known security weaknesses within an\nagency and shall be used by the agency, program officials, and the IG as the authoritative agency\nmanagement mechanism to prioritize, track, and manage all agency efforts to close security\n\n\n\n\n                                               20\n\x0c                                                                                                Independent Evaluation of\n                                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nperformance gaps. However, Carson Associates found that not all known security weaknesses\nare being reported on the POA&Ms.\n\nPenetration Testing\n\nThe agency conducted a penetration test in December 2005. The penetration testing report dated\nMarch 29, 2006, included a total of eighteen findings with corresponding recommendations. The\nmost recent POA&Ms do not include all of the recommendations resulting from the December\npenetration testing. There are some very general corrective actions on the POA&Ms, such as\n\xe2\x80\x9cReview results from Penetration Test, determine necessary actions, and develop task/milestone\nschedule for task.\xe2\x80\x9d However, it is not clear which specific recommendations from the\npenetration testing report are addressed by these corrective actions.\n\nBusiness Continuity Plan Testing\n\nThe findings from two contingency plan tests conducted in 2005, and one contingency plan test\nconducted in 2006, were not reported on the respective system POA&Ms.\n\nRECOMMENDATION\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       3. Re-evaluate the procedures developed for identifying weaknesses to be tracked to ensure\n          all known security weaknesses are reported on the POA&Ms.\n\n3.7         Certification and Accreditation Process\n\n                                    OMB Requirement                                                 OIG Response\n 5. Assess the overall quality of the Department\xe2\x80\x99s certification and                         Fail\n accreditation process.\n\nCertification and Accreditation\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Information systems under development must be certified and\naccredited prior to becoming operational. Operational information systems must be re-certified\nand re-accredited every 3 years in accordance with Federal policy,13 and whenever there is a\nsignificant change14 to the information system or its operational environment.\n\n13\n      OMB Circular A-130, Appendix III.\n14\n      Examples of significant changes to an information system that should be reviewed for possible re-accreditation\n     include (1) installation of a new or upgraded operating system, middleware component, or application; (2)\n     modifications to system ports, protocols, or services; (3) installation of a new or upgraded hardware platform or\n     firmware component; and (4) modifications to cryptographic modules or services. Changes in laws, directives,\n     policies, or regulations, while not always directly related to the information system, can also potentially affect the\n     system security and trigger a re-accreditation action.\n\n\n\n                                                              21\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\nThe following diagram15 illustrates the key activities, including certification and accreditation, in\nmanaging enterprise-level risk, i.e., risk resulting from the operation of an information system.\nAs illustrated in the diagram, NIST has developed several standards and guidelines to support the\nmanagement of enterprise risk. Some of these guidelines and standards were developed only\nwithin the past two years, requiring agencies to make changes to their certification and\naccreditation policies and procedures. NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, provides guidelines for certification and\naccreditation.\n\n\n\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls16 planned and in place in an information system to determine the\nextent to which the controls are (1) implemented correctly, (2) operating as intended, and (3)\nproducing the desired outcome with respect to meeting the security requirements for the\n\n15\n    The diagram was adapted from a diagram found in the NIST presentation \xe2\x80\x9cBuilding More Secure Information\n   Systems: A Strategy for Effectively Applying the Provisions of FISMA,\xe2\x80\x9d dated July 29, 2005\n   (http://csrc.nist.gov/sec-cert/PPT/fisma-overview-July29-2005.ppt).\n16\n    Management controls are the safeguards or countermeasures that focus on the management of risk and the\n   management of information system security. Operational controls are the safeguards or countermeasures that\n   primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards\n   or countermeasures that are primarily implemented and executed by the information system through mechanisms\n   contained in the hardware, software, or firmware components of the system.\n\n\n\n                                                        22\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\ninformation system. The results of a security certification are used to reassess the risks and\nupdate the system security plan, thus providing the factual basis for an authorizing official to\nrender a security accreditation decision. Security certification can include a variety of\nassessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and\nanalyzing) and associated assessment procedures depending on the depth and breadth of\nassessment required by the agency.\n\nSecurity accreditation is the official management decision given by a senior agency official to\n(1) authorize operation of an information system and (2) explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\nfor the information system\xe2\x80\x99s security.\n\nThere are three types of accreditation decisions that can be rendered by authorizing officials: (1)\nauthorization to operate, (2) interim authorization to operate (IATO), and (3) denial of\nauthorization to operate.\n\n   \xe2\x80\xa2   Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is acceptable.\n   \xe2\x80\xa2   Interim Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is unacceptable, but there is an overarching mission necessity to\n       place the information system into operation or continue its operation. An IATO is\n       rendered when the security vulnerabilities identified in the information system (resulting\n       from deficiencies in the planned or implemented security controls) are significant but can\n       be addressed in a timely manner. An IATO provides a limited authorization to operate\n       the information system under specific terms and conditions and acknowledges greater\n       risk to the agency for a specified period of time. In accordance with OMB policy, an\n       information system is not accredited during the period of limited authorization to operate.\n       The duration established for an IATO should be commensurate with the risk to agency\n       operations, agency assets, or individuals associated with the operation of the information\n       system. When the security-related deficiencies have been adequately addressed, the\n       IATO should be lifted and the information system authorized to operate.\n   \xe2\x80\xa2   Denial of Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is unacceptable. The information system is not accredited and\n       should not be placed into operation. If the information system is currently operational, all\n       activity should be halted.\n\nThe FY 2005 FISMA independent evaluation found that the majority of NRC information\nsystems (19 of 27) were not certified and accredited because (1) the certification and\naccreditation had lapsed or was never completed and (2) NRC information systems were being\n\n\n\n\n                                                 23\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nre-certified and re-accredited using new NIST requirements.17 As a result, potential risks to\nagency information systems are unknown. Subsequent to the FY 2005 FISMA independent\nevaluation, the former Chairman directed the agency to submit a plan to refocus the agency\xe2\x80\x99s\nFISMA program for FY 2006 and to submit a plan for an independent review of NRC\xe2\x80\x99s FISMA\nprogram.\n\nNRC Refocused Information System Security Program\n\nIn prior years, the agency allowed current (legacy) systems to operate under an IATO prior to the\ncompletion of certification and accreditation, while concurrently pursuing authority to operate\nfor new systems. However, OMB has clarified that allowing systems to operate under an IATO\nwould not be an acceptable approach for the certification and accreditation of systems.\n\nUnder the refocused program, the agency will first perform certification and accreditation for\nsystems that are a high priority from a mission perspective and others that potentially pose a\nhigher security risk (e.g., agency systems that communicate with systems outside the NRC\nnetwork). These high priority systems include legacy financial systems, two new systems, and\ninfrastructure components supporting these high priority systems. In a December 2005\nmemorandum to the former Chairman, the agency stated it planned to complete the certification\nand accreditation for the high priority systems by the following dates:\n\n     \xe2\x80\xa2   Financial systems: second quarter of FY 2006\n     \xe2\x80\xa2   One of the new systems: third quarter of FY 2006\n     \xe2\x80\xa2   The other new system: first quarter of FY 2007\n     \xe2\x80\xa2   Infrastructure components concurrently with the high priority systems\n\nThe first phase of the refocused program included the development of a comprehensive\ncertification and accreditation process, which is not yet finalized. The agency developed\ntemplates for all certification and accreditation documents and instructions for completing the\ntemplates. The updated certification and accreditation process was also integrated into the\nagency\xe2\x80\x99s new project management methodology.18 One of the agency\xe2\x80\x99s operational major\napplications was chosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new process and documentation standards, in part, to\nensure the new process is repeatable.\n\nThe refocused program has not resulted in the completion of a single certification and\naccreditation despite the (1) emphasis on the certification and accreditation of high priority\nsystems and systems with a higher security risk and (2) application of at least $500,000 in\nfunding to this initiative since December 2005. In the meantime, the certifications and\naccreditations for all but one of the agency\xe2\x80\x99s operational systems have expired. This results in\n\n17\n    NRC information systems are being re-certified and re-accredited in accordance with the minimum security\n   controls for information systems defined in NIST SP 800-53, Recommended Security Controls for Federal\n   Information Systems.\n18\n    The agency\xe2\x80\x99s project management methodology is currently in concurrence. The FY 2006 FISMA independent\n   evaluation did not include a review of the new templates, their instructions, or the incorporation of the new\n   certification and accreditation process into the agency\xe2\x80\x99s project management methodology. The completion of\n   these activities will be evaluated when they have been finalized and reported as completed to the OIG.\n\n\n\n                                                        24\n\x0c                                                                                              Independent Evaluation of\n                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nonly 1 of the agency\xe2\x80\x99s 30 operational systems having a current certification and accreditation,\nand that certification and accreditation expires in October 2006. As of September 1, 2006, the\ncurrent target completion dates for certification and accreditation of the high priority systems,\nand the \xe2\x80\x9cpilot,\xe2\x80\x9d are as follows:19\n\n       \xe2\x80\xa2    \xe2\x80\x9cPilot\xe2\x80\x9d system: March 2007\n       \xe2\x80\xa2    Financial systems: first quarter of FY 2007\n       \xe2\x80\xa2    The two new systems: end of FY 2007\n       \xe2\x80\xa2    General support system supporting one of the new systems: first quarter FY 2007\n       \xe2\x80\xa2    Infrastructure components supporting high priority systems: second quarter FY 2007 and\n            first quarter FY 2008\n       \xe2\x80\xa2    Remaining agency operational systems by FY 2009\n\nThe FY 2005 FISMA independent evaluation made two recommendations to address the lack of\ncertified and accredited systems; however, the agency is still in the process of implementing\nthose recommendations. According to the agency, the current target date for completing the two\nrecommendations concerning the agency\xe2\x80\x99s certification and accreditation process is December\n29, 2006.\n\nAs stated previously, the fact that only 1 of the 30 operational NRC information systems has a\ncurrent certification and accreditation, and that only 4 of the 12 systems used or operated by a\ncontractor or other organization on behalf of the agency have a current certification and\naccreditation, constitutes a significant deficiency.\n\nIndependent Review of NRC\xe2\x80\x99s Information System Security Program\n\nAt the request of the former Chairman, the agency has engaged outside expertise to perform an\nindependent review of the adequacy of the agency\xe2\x80\x99s internal processes used to provide security\nto its information systems. NRC selected the Carnegie Mellon University\xe2\x80\x99s Software\nEngineering Institute to perform the independent review. The evaluation consists of three\nphases:\n\n       \xe2\x80\xa2    Evaluate the agency\xe2\x80\x99s implementation of the certification and accreditation process.\n       \xe2\x80\xa2    Perform a needs analysis of the capabilities of the NRC information system security\n            program.\n       \xe2\x80\xa2    Benchmark the agency\xe2\x80\x99s certification and accreditation process against similarly-sized\n            regulatory and comparable agencies.\n\nThe final reports are scheduled for release during the first quarter FY 2007.\n\n\n\n\n19\n      The agency stated in their formal written comments that the certifications and accreditations of the six systems\n     that are of highest mission priority will be completed by the end of January 2007.\n\n\n\n                                                             25\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nIssuance of Interim Approvals to Operate Is Not Consistent With NIST Guidance\n\nAs stated previously, there are three types of accreditation decisions that can be rendered by\nauthorizing officials: (1) authorization to operate, (2) interim authorization to operate, and (3)\ndenial of authorization to operate.\n\nA full and complete certification and accreditation package is necessary for an authorizing\nofficial to render an accreditation decision. A complete certification and accreditation includes a\nsecurity plan (which includes or references a risk assessment), a security assessment report, and a\nPOA&M.\n\nNRC bases the decision to issue an IATO on the submission of the following documents:\n\n   \xe2\x80\xa2   NRC Form 616 \xe2\x80\x93 Notification of Electronic Information System Design or Modification\n   \xe2\x80\xa2   NRC Form 637 \xe2\x80\x93 NRC Electronic Information System Records Scheduling Survey\n   \xe2\x80\xa2   Privacy Impact Assessment\n   \xe2\x80\xa2   e-Authentication Risk Assessment\n   \xe2\x80\xa2   Security Categorization\n\nIssuance of an IATO based on the submission of these documents is inconsistent with NIST\nguidance. None of these documents describe the actual risks that exist in the systems or identify\nthreats and vulnerabilities that could expose the agency\xe2\x80\x99s information and information systems to\nan unacceptable level of risk. This information is necessary for the authorizing official to\ndetermine whether the risk to agency operations, agency assets, or individuals, based on the\nimplementation of an agreed-upon set of security controls for these systems, is acceptable.\n\nThe following is a summary of some of the agency\xe2\x80\x99s systems that are currently operating under\nan IATO.\n\n   \xe2\x80\xa2   Five systems\xe2\x80\x99 last certification and accreditation expired almost a year ago.\n   \xe2\x80\xa2   Five systems\xe2\x80\x99 last certification and accreditation expired more than 1 year ago.\n   \xe2\x80\xa2   One system\xe2\x80\x99s last certification and accreditation expired almost 2 years ago.\n   \xe2\x80\xa2   Seven general support systems were identified when the LAN/WAN was divided into\n       several general support systems. There is insufficient documentation to determine\n       whether these systems are fully covered by the previous LAN/WAN certification and\n       accreditation.\n   \xe2\x80\xa2   Three systems have never had a complete certification and accreditation, as they are new\n       general support systems identified when the LAN/WAN was divided into several general\n       support systems. There is insufficient documentation to determine whether these systems\n       are covered by the previous LAN/WAN certification and accreditation.\n   \xe2\x80\xa2   Four systems have never had a complete certification and accreditation, but have a\n       security plan and/or risk assessment.\n   \xe2\x80\xa2   Four agency systems and two contractor systems have never had a complete certification\n       and accreditation and do not have at least a security plan and risk assessment.\n\n\n                                                  26\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\nThe agency may have some understanding of the threats, vulnerabilities, and risks associated\nwith the systems operating under an IATO that have (1) an expired certification and\naccreditation, (2) a risk assessment, or (3) a security plan. However, these documents are now\noutdated. As noted above, there are several systems operating under an IATO that have never\nhad a risk assessment and do not have a security plan. For these systems, the authorizing official\ncannot make an informed decision regarding whether or not the risk to agency operations,\nagency assets, or individuals is acceptable.\n\nAs stated previously, the Software Engineering Institute is currently evaluating the agency\xe2\x80\x99s\ncertification and accreditation process. The failure to follow NIST guidance when issuing an\nIATO is one of their preliminary findings.\n\nAgency Funding of New Investments is Inconsistent With OMB Guidance\n\nOMB memoranda M-06-19, Reporting Incidents Involving Personally Identifiable Information\nand Incorporating the Cost for Security in Agency Information Technology Investments, and M-\n06-20 reminded agencies that (1) they must integrate security into and fund security over the\nlifecycle of each system undergoing development, modernization, or enhancement, and (2) the\noperations of legacy (steady-state) system operations must meet existing security requirements\nbefore new funds are spent on systems development, modernization or enhancement. As an\nexample of this policy in practice, if an agency has a legacy system not currently certified and\naccredited or for which a contingency plan has not been tested, these actions must be completed\nbefore spending funds on a new system.\n\nAs stated previously, only one of the agency\xe2\x80\x99s legacy systems has a current certification and\naccreditation, and only three agency systems had their contingency plans tested this year.\nHowever, the agency is spending new funds on systems development for several new systems.\nThe following is an example of funds the agency has spent on new systems development.20\n\n       \xe2\x80\xa2    Pilot system for electronically storing, processing, and transmitting the agency\xe2\x80\x99s\n            safeguards records \xe2\x80\x93 $1,374,000\n\n3.8         Security Configuration Policy\n\n                                  OMB Requirement                                             OIG Response\n 6.a. Is there an agency wide security configuration policy?                            Yes\n 6.b. Are configuration guides available for the products listed in the                 Yes\n FY 2006 FISMA Reporting Template?\n\nThe agency has implemented several policies that address security configurations and their\nimplementation. In May 2003, the agency developed the NRC System Security Baseline\nImplementation Plan. Its objective was to establish, develop, implement, maintain, and verify\n\n20\n     Dollar figures were obtained from the FY 2007 Exhibit 53 as of January 2006. Dollar figures represent total funds\n     expended through FY 2005.\n\n\n\n                                                           27\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nsecure baseline configurations for all information systems. The NRC program is primarily based\non the Center for Internet Security\xe2\x80\x99s benchmarks and scoring tools. NRC personnel compiled\nand researched recommended \xe2\x80\x9cbest practice\xe2\x80\x9d technical settings and actions and developed \xe2\x80\x9cin\nhouse\xe2\x80\x9d benchmarks for those platforms for which a benchmark has yet to be developed. The\nfollowing platforms were the focus of the initiative:\n\n   \xe2\x80\xa2   Microsoft NT\n   \xe2\x80\xa2   Microsoft Windows 2000\n   \xe2\x80\xa2   Novell NetWare\n   \xe2\x80\xa2   Sun Solaris\n   \xe2\x80\xa2   IBM AIX\n   \xe2\x80\xa2   Linux\n\nThe scope of the plan is all NRC systems running the operating systems listed above and\nincludes all systems that are currently in an \xe2\x80\x9cactive\xe2\x80\x9d state and components of the primary NRC\nnetwork. Subsequent to the implementation of the System Security Baseline Implementation\nPlan, the agency has begun using the following additional benchmarks and configuration guides.\n\n   \xe2\x80\xa2   Windows 2003 Domain Controllers and Member Servers (Center for Internet Security)\n   \xe2\x80\xa2   Microsoft Internet Information Server (National Security Agency)\n   \xe2\x80\xa2   Microsoft SQL Server (National Security Agency)\n   \xe2\x80\xa2   Router security configuration guide (National Security Agency)\n   \xe2\x80\xa2   Cisco router Internet operating system (Center for Internet Security)\n   \xe2\x80\xa2   Cisco PIX firewall (Center for Internet Security)\n   \xe2\x80\xa2   Apache (Center for Internet Security)\n   \xe2\x80\xa2   Oracle (Center for Internet Security)\n   \xe2\x80\xa2   Sybase Adaptive Server Enterprise Scoring Tool (NRC developed)\n\nThe agency has also posted requirements on the NRC internal IT security Web page for the use\nof hardening specifications developed by the Center for Internet Security for all systems using\nthe Red Hat Linux operating system. All deviations from the specification must be justified.\nAreas where the specification says \xe2\x80\x9cif absolutely necessary,\xe2\x80\x9d require justification of the\n\xe2\x80\x9cabsolutely necessary\xe2\x80\x9d use of the feature. The same applies to the \xe2\x80\x9cdisable if possible\xe2\x80\x9d areas\n(justify not disabling).\n\nOracle is currently not in production, but is being tested for planned future production use.\nApache is found in the production environment only as a customized version that is bundled with\nthe list manager for the Web interface. Hardening guidelines for the Microsoft Internet\nInformation Server are included with the Windows 2000/2003 configuration guides. HP-UX is\nfound in the production environment, but it is not in widespread use and there is no baseline.\n\nFor desktops, NRC has developed a standard image for Windows XP that is based on NIST best\npractices. NRC uses PatchLink to keep desktop configurations consistent across NRC.\n\n\n                                               28\n\x0c                                                                                       Independent Evaluation of\n                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nLANDesk can also be used to push upgrades to the desktops. NRC Announcements21 are used to\nannounce agency workstation updates. The announcements describe the nature of the upgrade\nand that it will occur via an automated procedure during network login. The announcement\nincludes, as an attachment, the upgrade schedule for each NRC office.\n\nThe Office of Information Services also provides the Defense Information Systems Agency Gold\nDisk tool for the following Windows platforms:\n\n      \xe2\x80\xa2   Windows Server 2003 Member Server\n      \xe2\x80\xa2   Windows 2003 Domain Controller\n      \xe2\x80\xa2   Windows XP Professional\n      \xe2\x80\xa2   Windows 2000 Professional\n      \xe2\x80\xa2   Windows 2000 Member Server\n      \xe2\x80\xa2   Windows Domain Controller\n\nNRC has also developed system security screening guidelines to prepare new systems for\nimplementation into the NRC production operating environment. The security screening ensures\nthat the system configuration meets NRC network security requirements. The guidelines outline\nthe steps necessary to request and perform the security screening process, provide guidance on\nmanaging and developing a secure system, and list industry best practices and additional\nresources.\n\n3.9       Incident Detection and Handling Procedures\n\n                              OMB Requirement                                            OIG Response\n 7.a. The agency follows documented policies and procedures for                    Yes\n identifying and reporting incidents internally.\n 7.b. The agency follows documented policies and procedures for                    Yes\n external reporting to law enforcement authorities.\n 7.c. The agency follows defined procedures for reporting to the                   Yes\n United States Computer Emergency Readiness Team (US-CERT).\n\nManagement Directive and Handbook 12.5, NRC Automated Information Systems Security\nProgram, Appendix B, formalizes the agency\xe2\x80\x99s procedures for monitoring, detecting, reporting,\nand responding to information systems security incidents. It also provides the requirements and\nprocedures for reporting incidents internally, externally to law enforcement agencies/officials,\nand to US-CERT.22 The most current version of the incident response procedures are maintained\non the agency\xe2\x80\x99s IT Web site.\n\n\n21\n    NRC Announcements (formerly Network Announcements) communicate information of major significance or\n   interest to agency employees, as well as urgent or time-sensitive information. These announcements do not\n   require signature.\n22\n    The procedures actually reference reporting to the Federal Computer Incident Response Center, which was\n   replaced with the US-CERT when the Department of Homeland Security was established.\n\n\n\n                                                       29\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\nThe Management Directive defines the roles and responsibilities for reporting and responding to\ninformation system security incidents. When criminal activity is suspected or confirmed, the\nprocedures assign the OIG responsibility for contacting and coordinating the response with law\nenforcement officials.\n\n3.10        Security Awareness and Training\n\n                                  OMB Requirement                                             OIG Response\n 8. Has the agency ensured security training and awareness of all                       Mostly, or\n employees, including contractors and those employees with                              approximately 81-95%\n significant IT security responsibilities?                                              of employees have\n                                                                                        sufficient training\n 9. Does the agency explain policies regarding peer-to-peer file                        Yes\n sharing in IT security awareness training, ethics training, or any\n other agency wide training?\n\nAll new NRC employees (including contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, a member of the\nNRC Computer Security Team gives a brief presentation, which includes a discussion on\nappropriate use of information technology equipment. In addition, a member of the Office of the\nGeneral Counsel presents a section on ethics that includes additional discussions on appropriate\nuse of the Internet.\n\nAll employees, including contractors, are required to take the online NRC Computer Security\nAwareness course as soon as they receive a network UserID and every year thereafter. The\nOffice of Information Services maintains a database of personnel who have taken the security\nawareness course and cross checks the list on a regular basis with an employee list provided by\nthe NRC Office of Human Resources. A Computer Security Team member sends a message to\nNRC office directors and regional administrators around the first of the month reminding them to\nhave their employees take the course. Information system security officers must sign an\nacknowledgement of their responsibilities when taking the position and are required to take an\nonline Information System Security Officer training course in addition to the online NRC\nComputer Security Awareness course. NRC also provides an information systems security\ncourse for system administrators.\n\nNRC meets the Office of Personnel Management requirement to expose employees to security\nawareness materials at least annually by (1) mandating all NRC staff take the NRC Computer\nSecurity Awareness course annually and by documenting who takes the training, (2) using\nposters, flyers, Web pages, NRC Yellow Announcements,23 NRC Announcements, and\narticles/notices in the NRC monthly newsletter to keep computer security on everyone\xe2\x80\x99s mind\nthroughout the year, and (3) holding an Annual NRC Computer Security Awareness Day event.\n\n23\n      NRC Yellow Announcements (formerly Yellow Announcements) establish new policies, practices, or procedures;\n     introduce changes in policy, senior staff assignments, or organization; or address major agencywide events. These\n     announcements require signature and are retained as permanent records in the agency\xe2\x80\x99s document management\n     system.\n\n\n\n                                                           30\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\nThe agency is in the process of developing a computer security awareness and training program\nplan to fully implement the requirements outlined in OMB Circular A-130, Appendix III;\nFISMA; Management Directive and Handbook 12.5; and the Office of Personnel Management\xe2\x80\x99s\nfinal regulations concerning information technology security awareness.\n\nAgency staff and contractors are advised of the dangers of peer-to-peer applications during their\nannual Web-based security training. The online Computer Security Awareness course includes a\ndiscussion of the dangers of peer-to-peer applications such as instant messaging. Current agency\npolicy does not explicitly prohibit peer-to-peer applications; however, the agency is blocking\nsites that support the unauthorized reproduction of copyrighted material, i.e., peer-to-peer and\nfile sharing Web sites.\n\nFINDING J \xe2\x80\x93 Agency Lacks Procedures for Ensuring Employees With Significant IT\nSecurity Responsibilities Receive Security Training (Repeat Finding)\n\nThe FY 2005 FISMA independent evaluation found that the agency had difficulty in gathering\nthe information needed to report on (1) the total number of employees with significant IT\nsecurity responsibilities, (2) the number of those employees who have received specialized\ntraining, and (3) the total costs for providing IT training. The agency\xe2\x80\x99s training system does not\nidentify which employees have significant IT security responsibilities and what courses are\nconsidered related to IT security. The agency\xe2\x80\x99s training system also does not account for any\ntraining the employees may have taken on their own time.\n\nThe agency is working with NRC offices to identify employees and contractors with significant\nIT security responsibilities. The agency is also developing procedures for ensuring staff with\nsignificant IT security responsibilities are identified, receive security training, and the individual\nand associated training are properly documented and readily identifiable. According to the\nagency, the current target date for completing the recommendation concerning security training\nfor employees and contractors with significant IT security responsibilities is August 31, 2008.\n\n\n\n\n                                                  31\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              32\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n4       Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Clearly identify the additional controls that are the responsibility of a high-impact system\n       when a general support system categorized as having moderate-impact supports a high-\n       impact system.\n    2. Re-categorize the Network Continuity of Operations listed system as a general support\n       system.\n    3. Re-evaluate the procedures developed for identifying weaknesses to be tracked to ensure\n       all known security weaknesses are reported on the POA&Ms.\n\nThe following are recommendations from FY 2005 that still remain open that correspond to the\nrepeat findings. These recommendations can be found in OIG-05-A-21, Independent Evaluation\nof NRC\xe2\x80\x99s Implementation of FISMA for Fiscal Year 2005.\n\n    \xe2\x80\xa2   Categorize all NRC information systems, including systems operated by a contractor or\n        other organization on behalf of the agency, in accordance with FIPS 199.\n        (Recommendation #1)\n    \xe2\x80\xa2   Develop and implement procedures to ensure contingency plans are tested annually,\n        regardless of the status of the systems\xe2\x80\x99 certification and accreditation. (Recommendation\n        #3)\n    \xe2\x80\xa2   Maintain current copies of certification and accreditation memoranda for systems\n        provided by other Federal agencies. (Recommendation #4)\n    \xe2\x80\xa2   Maintain current copies of self-assessments for systems provided by other Federal\n        agencies. (Recommendation #5)\n    \xe2\x80\xa2   Maintain current copies of annual contingency plan testing results for systems provided\n        by other Federal agencies. (Recommendation #6)\n    \xe2\x80\xa2   Develop and implement procedures for performing oversight of major applications and\n        general support systems operated by a contractor or other organization on behalf of the\n        agency. (Recommendation #7)\n    \xe2\x80\xa2   Review and update the six completed e-authentication risk assessments to correct\n        inaccuracies and inconsistencies with FIPS 199 security categorizations.\n        (Recommendation #8)\n    \xe2\x80\xa2   Develop and implement a plan for completing the remaining e-authentication risk\n        assessments. (Recommendation #9)\n    \xe2\x80\xa2   Develop and implement procedures for ensuring employees and contractors with\n        significant IT security responsibilities are identified, receive security awareness and\n        training, and the individual and associated training are readily identifiable.\n        (Recommendation #10)\n\n\n\n\n                                                33\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n5      OIG Response to Agency Comments\n\nAt an exit conference with the agency held on September 26, 2006, the agency provided informal\nwritten comments and generally agreed with the report recommendations. Where appropriate,\nthe OIG modified the report in response to these comments. On September 28, 2006, the agency\nprovided formal written comments, which can be found in Appendix D.\n\n\n\n\n                                              34\n\x0c                                                                 Appendix A \xe2\x80\x93 Scope and Methodology\n                                                                            Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nSCOPE AND METHODOLOGY\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA\nfor FY 2006. To conduct the independent evaluation, the team met with agency staff responsible\nfor implementing the agency\xe2\x80\x99 information system security program, reviewed certification and\ndocumentation for the agency\xe2\x80\x99s operational information systems, and reviewed other\ndocumentation provided by the agency that demonstrated their implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   National Institute of Standards and Technology standards and guidelines\n   \xe2\x80\xa2   Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Systems Security Program\n   \xe2\x80\xa2   NRC Office of the Inspector General audit guidance\n\nThis work was conducted between March 2006 and August 2006. Fieldwork ended August 31,\n2006. Any information received from the agency subsequent to the completion of fieldwork was\nincorporated when possible. The work was conducted by Jane M. Laroussi, CISSP; Kelby M.\nFunn, CISA; and Omar Chaudhry, from Richard S. Carson and Associates, Inc.\n\n\n\n\n                                              35\n\x0c                                  Appendix A \xe2\x80\x93 Scope and Methodology\n                                             Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              36\n\x0c                                                          Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                                Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nSTATUS OF CONTINGENCY PLAN TESTING\n\nThe following information on the status of contingency plan testing was obtained from the 3rd\nQuarter FY 2006 POA&Ms submitted by the agency to OMB and from working papers from the\nFY 2005 FISMA independent evaluation. This information is for the 30 operational agency\nsystems as well as for one contractor system.\n\n                      Table B-1. Status of Contingency Plan Testing\n                         Last CP Test      Scheduled Test\n        System                                                                Comment\n                             Date              Date\n 3-Tier Web            Never tested       Not scheduled         System was put into production\n                                                                without a certification and\n                                                                accreditation. There is no 3rd\n                                                                Quarter FY 2006 POA&M for\n                                                                the system.\n ADAMS                 August 16, 2004    August 2006\n CTF                   June 29, 2004      March 2008            Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                                LAN/WAN.\n DCS                   April 29, 2004     September 2006        POA&M states testing was\n                                                                completed June 1, 2004.\n DDMS                  Week of May        Not scheduled\n                       15, 2006\n Desktops              June 29, 2004      June 2008             Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                                LAN/WAN.\n E-mail                June 29, 2004      December 2008         Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                                LAN/WAN.\n EHD                   Never tested       October 2006\n EIE                   April 6, 2006      Not scheduled         Agency has not reviewed/\n                                                                approved test results.\n ERDS                  May 24, 2004       December 2007         POA&M states testing was\n                                                                completed June 1, 2004.\n FEES                  August 24, 2006    Not scheduled\n GLTS                  May 13, 2004       Task order date       The system owner will set an\n                                          + 7.5 months          actual date upon award of a task\n                                                                order under the new information\n                                                                system security program\n                                                                contract.\n HPCS-CDS              Never tested       N/A                   Planned transition to listed\n                                                                system by July 30, 2006. As of\n                                                                September 1, 2006, the\n                                                                transition had not occurred.\n\n\n\n                                             37\n\x0c                                                   Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                         Independent Evaluation of\n                                                       NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n                   Last CP Test     Scheduled Test\n       System                                                          Comment\n                       Date             Date\nHPCS-CFD         Never tested      N/A                   Planned transition to listed\n                                                         system by July 30, 2006. As of\n                                                         September 1, 2006, the\n                                                         transition had not occurred.\nHRMS             August 21, 2006   Not scheduled\nIDS              June 29, 2004     January 2007          Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                         LAN/WAN.\nIPSS             July 25, 2003     June 2007\nLAN/WAN          May 10 and        September 2006        Test report is dated May 23,\n                 May 11, 2005                            2005.\nLSN              April 27-28,      Not scheduled         This is a contractor system.\n                 2006\nLTS              May 18, 2004      Waiting for           Was to be retired by September\n                                   contract award to     30, 2005. As of September 1,\n                                   set date, original    2006, the system had not been\n                                   date was June 1,      retired.\n                                   2006\nMPKI             June 29, 2004     September 2006        Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                         LAN/WAN.\nNovell Servers   June 29, 2004     November 2007         Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                         LAN/WAN.\nNSICD            Never tested      Not scheduled         This is a new system. There is\n                                                         no 3rd Quarter FY 2006\n                                                         POA&M for the system.\nOCIMS            May 24, 2004      July 2006             POA&M states testing was\n                                                         completed September 8, 2004.\nRAS              March 27, 2004    Not scheduled         This is another general support\n                                                         system that was broken out\n                                                         from the LAN/WAN. There is\n                                                         no 3rd Quarter FY 2006\n                                                         POA&M for the system.\n                                                         According to the agency, it was\n                                                         included with the continuity of\n                                                         operations testing performed in\n                                                         March 2004.\nRPS              June 28, 2006     Not scheduled         Agency has not reviewed/\n                                                         approved test results.\n\n\n\n\n                                       38\n\x0c                                                       Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                             Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n                      Last CP Test      Scheduled Test\n       System                                                              Comment\n                          Date              Date\nTAC                 June 24, 2005       N/A                  Planned transition to listed\n                                                             system (once HPCS moves to\n                                                             the production operating\n                                                             environment).\nTelecommunications April 29, 2004       November 30,         Combined DCS/Telecomm\n                                        2006                 POA&M states testing was\n                                                             completed June 1, 2004. This is\n                                                             a general support system that\n                                                             was broken out from the old\n                                                             Data Center/\n                                                             Telecommunications general\n                                                             support system. There is no 3rd\n                                                             Quarter FY 2006 POA&M for\n                                                             the system.\nUnix Servers        Insufficient        June 1, 2006         This is another general support\n                    documentation       (delayed,            system that was broken out\n                    to determine        completion date      from the LAN/WAN.\n                    whether covered     to be\n                    by previous tests   determined)\nWeb Servers         Insufficient        June 1, 2006         This is another general support\n                    documentation       (delayed,            system that was broken out\n                    to determine        completion date      from the LAN/WAN.\n                    whether covered     to be\n                    by previous tests   determined)\nWindows Servers     June 29, 2004       May 2008             Last test was \xe2\x80\x9cinherited\xe2\x80\x9d from\n                                                             LAN/WAN.\n\nADAMS             Agencywide Document Access and Management System\nCTF               Consolidated Test Facility\nDCS               Data Center Services\nDDMS              Digital Data Management System\nEHD               Electronic Hearing Docket\nEIE               Electronic Information Exchange\nERDS              Emergency Response Data System\nFEES              License Fee Reporting System\nGLTS              General License Tracking System\nHPCS-CDS          High Performance Computing System \xe2\x80\x93 Code Development System\nHPCS-CFD          High Performance Computing System \xe2\x80\x93 Computational Fluid Dynamics\n                  System\nHRMS              Human Resources Management System\n\n\n                                           39\n\x0c                                          Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                Independent Evaluation of\n                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nIDS       Intrusion Detection Systems\nIPSS      Integrated Personnel Security System\nLAN/WAN   Local Area Network/Wide Area Network\nLSN       Licensing Support Network\nLTS       License Tracking System\nMPKI      Managed Public Key Infrastructure\nNSICD     NRC Systems Inventory and Configuration Database\nOCIMS     Operations Center Information Management System\nRAS       Remote Access System\nRPS       Reactor Program System\nTAC       Technology Assessment Center\n\n\n\n\n                                40\n\x0c                                                                                                      Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                                                                             Independent Evaluation of\n                                                                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nFY 2006 OMB FISMA REPORTING TEMPLATE FOR AGENCY IGs\n\nThis appendix contains the FY 2006 OMB FISMA Reporting Template for Agency IGs and the\nadditional narrative that will be included with the agency\xe2\x80\x99s FISMA submission to OMB.\n\n                                                                                        Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                             Agency Name: Nuclear Regulatory Commission\n\n                                                                                                              Question 1 and 2\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n            To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n            1) Continue to use NIST Special Publication 800-26, or,\n            2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n            Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n            requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the\nnumber of systems which have completed the following: have a current certification and accreditation, a contingency plan tested within the past year, and security controls tested within the past year.\n\n                                                                                                  Question 1                                                                                Question 2\n                                                                        a.                           b.                             c.                              a.                         b.                         c.\n                                                                  Agency Systems             Contractor Systems           Total Number of Systems         Number of systems         Number of systems for Number of systems for which\n                                                                                                                                                        certified and accredited    which security controls contingency plans have been\n                                                                                                                                                                                     have been tested and     tested in accordance with\n                                                                                                                                                                                   evaluated in the last year    policy and guidance\n\n\n                                    FIPS 199 Risk Impact        Total         Number          Total        Number                        Number          Total       Percent of      Total        Percent of\nBureau Name                                 Level              Number        Reviewed        Number       Reviewed       Total Number   Reviewed        Number         Total        Number          Total       Total Number Percent of Total\nNRC                                   High                               3               0           0               0              3               0            0          0.0%             3           0.0%                0           0.0%\n                                      Moderate                           8               0           0               0              8               0            0          0.0%             8           0.0%                3           0.0%\n                                      Low                                0               0           1               0              1               0            0          0.0%             1           0.0%                1           0.0%\n                                      Not Categorized                   19               0          11               0             30               0            5          0.0%            21           0.0%                0           0.0%\n                                   Sub-total                            30               0          12               0             42               0            5          0.0%            33           0.0%                4           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nBureau                                High                                                                                          0               0                       0.0%                         0.0%                            0.0%\n                                      Moderate                                                                                      0               0                       0.0%                         0.0%                            0.0%\n                                      Low                                                                                           0               0                       0.0%                         0.0%                            0.0%\n                                      Not Categorized                                                                               0               0                       0.0%                         0.0%                            0.0%\n                                   Sub-total                             0               0            0              0              0               0            0          0.0%             0           0.0%                0           0.0%\nAgency Totals                          High                              3               0            0              0              3               0            0          0.0%             3           0.0%                0           0.0%\n                                      Moderate                           8               0           0               0              8               0            0          0.0%             8           0.0%                3           0.0%\n                                      Low                                0               0           1               0              1               0            0          0.0%             1           0.0%                1           0.0%\n                                      Not Categorized                   19               0          11               0             30               0            5          0.0%            21           0.0%                0           0.0%\n                                   Total                                30               0          12               0             42               0            5          0.0%            33           0.0%                4           0.0%\n\n\n\n\n                                                                                                                     41\n\x0c                                                                                                        Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                                                                               Independent Evaluation of\n                                                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n                                                                                                                    Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n                                    The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                    agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                    national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 and/or NIST 800-53\n                                    requirements by a contractor or other organization is not sufficient, however, self-reporting by another Federal agency may\n                                    be sufficient.\n                 3.a.                                                                                                                                              - Mostly, for example, approximately 81-95% of the time\n                                    Response Categories:\n                                         - Rarely, for example, approximately 0-50% of the time\n                                         - Sometimes, for example, approximately 51-70% of the time\n                                         - Frequently, for example, approximately 71-80% of the time\n                                         - Mostly, for example, approximately 81-95% of the time\n                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    The agency has developed an inventory of major information systems (including major national security systems) operated\n                                    by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                    systems or networks, including those not operated by or under the control of the agency.\n\n                                    Response Categories:\n                3.b.1.                                                                                                                                                  - Approximately 51-70% complete\n                                         - Approximately 0-50% complete\n                                         - Approximately 51-70% complete\n                                         - Approximately 71-80% complete\n                                         - Approximately 81-95% complete\n                                         - Approximately 96-100% complete\n\n                                                                                                                                                                   Missing Agency Systems: Network Continuity of Operations\n\n                                    If the Agency IG does not evaluate the Agency's inventory as 96-100% complete, please list the systems that are missing\n                3.b.2.\n                                    from the inventory.                                                                                                            Missing Contractor Systems:\n\n\n\n                 3.c.               The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                      Yes\n\n\n                                    The OIG generally agrees with the CIO on the number of information systems used or operated by a contractor of the\n                 3.d.                                                                                                                                                                                 Yes\n                                    agency or other organization on behalf of the agency.\n\n\n                 3.e.               The agency inventory is maintained and updated at least annually.                                                                                                 Yes\n\n\n                 3.f.               The agency has completed system e-authentication risk assessments.                                                                                                No\n\n                                                                                                                    Question 4\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                                    The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                 4.a.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n                                    When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                 4.b.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    implement, and manage POA&Ms for their system(s).\n\n\n\n                                    Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                 4.c.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    progress.\n\n\n                 4.d.               CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                   - Almost Always, for example, approximately 96-100% of the time\n\n\n                 4.e.               OIG findings are incorporated into the POA&M process.                                                                          - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    timely manner and receive appropriate resources\n\nComments: NRC has two primary tools for tracking IT security weaknesses. At a high level, NRC uses the POA&Ms submitted to OMB to track (1) corrective actions from the OIG annual independent evaluation, (2) corrective actions from\nthe agency\xe2\x80\x99s annual review, and (3) recurring FISMA and IT security action items such as annual self-assessments, and annual contingency plan testing. The POA&Ms may also include corrective actions resulting from other security\nstudies conducted by or on behalf of NRC. At a more detailed level, NRC uses an internal system to track the progress of more specific corrective actions. These include corrective actions resulting from activities associated with the\ncertification and accreditation process (e.g., risk assessment, security test and evaluation).\n\n\n\n\n                                                                                                                       42\n\x0c                                                                                                      Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                                                                             Independent Evaluation of\n                                                                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n                                                                                                                  Question 5\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans.\n\n                                    Assess the overall quality of the Department's certification and accreditation process.\n\n                                    Response Categories:\n                                         - Excellent\n                                                                                                                                                                 - Failing\n                                         - Good\n                                         - Satisfactory\n                                         - Poor\n                                         - Failing\n\nComments: See attached narrative, page 4.\n\n\n\n\n                                                                                                                      43\n\x0c                                                                                       Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                                                              Independent Evaluation of\n                                                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n                                                                    Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                         Agency Name: Nuclear Regulatory Commission\n\n                                                                                           Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                                  Yes\n                        Yes or No.\n                        Comments:\n\n\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n\n\n                                                                                                                                 Approximate the extent of implementation of the security\n                                                                                                                                 configuration policy on the systems running the software.\n\n                                                                                                                                 Response choices include:\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the\n                                                                                                                                   systems running this software\n                                                                                                                                 - Sometimes, or on approximately 51-70% of\n          Product\n                                                                                                                                   the systems running this software\n                                                                                                                                 - Frequently, or on approximately 71-80% of\n                                                                  Addressed in agencywide\n                                                                                                                                   the systems running this software\n                                                                          policy?                 Do any agency systems          - Mostly, or on approximately 81-95% of the\n                                                                                                    run this software?             systems running this software\n                                                                                                                                 - Almost Always, or on approximately 96-100% of the\n                                                                             Yes, No,                                            systems running this software\n                                                                              or N/A.                    Yes or No.\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Windows XP Professional\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Windows NT\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Professional\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Server\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Windows 2003 Server\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Solaris\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              HP-UX\n                                                                                 No                          Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Linux\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Cisco Router IOS\n                                                                                 Yes                         Yes                 systems running this software\n                                                                                                                                       - Almost Always, or on approximately 96-100% of the\n              Oracle\n                                                                                 Yes                         Yes                 systems running this software\n              Other. Specify: Novell, AIX, Sybase, SQL                                                                                 - Almost Always, or on approximately 96-100% of the\n              Server, Cisco PIX, IIS, Apache                                                                                     systems running this software\n                                                                                 Yes                         Yes\nComments: W2K Pro is installed only on selected standalone laptops purchased when W2K Pro was the standard Microsoft operating system. These systems\nare not part of the NRC production operating environment (POE). HP-UX is found in the production environment, but it is not in widespread use and there is no\nbaseline. Oracle configuration guides are available, but this software is currently not in production. Oracle is being tested for planned future production use.\nApache configuration guides are also available, but this software is only found in the POE as a customized version that is bundled with the list manager for the\nWeb interface. It is also installed on a development server. IIS hardening guidelines are included in the Windows 2000/2003 configuration guides. There is an\nIIS 5 configuration guide.\n\n\n\n\n                                                                                               44\n\x0c                                                                          Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                                                 Independent Evaluation of\n                                                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n                                                                                 Question 7\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                    The agency follows documented policies and procedures for identifying and reporting\n       7.a.         incidents internally.                                                                                                        Yes\n                    Yes or No.\n                    The agency follows documented policies and procedures for external reporting to law\n       7.b.         enforcement authorities.                                                                                                     Yes\n                    Yes or No.\n                    The agency follows defined procedures for reporting to the United States Computer\n       7.c.         Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                   Yes\n                    Yes or No.\nComments:\n\n                                                                                 Question 8\n\n\n                    Has the agency ensured security training and awareness of all employees, including\n                    contractors and those employees with significant IT security responsibilities?\n\n                    Response Choices include:\n                                                                                                                     - Mostly, or approximately 81-95% of employees have sufficient\n         8          - Rarely, or, approximately 0-50% of employees have sufficient training                         training\n                     - Sometimes, or approximately 51-70% of employees have sufficient training\n                     - Frequently, or approximately 71-80% of employees have sufficient training\n                     - Mostly, or approximately 81-95% of employees have sufficient training\n                     - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n                                                                                 Question 9\n\n                    Does the agency explain policies regarding peer-to-peer file sharing in IT security\n         9          awareness training, ethics training, or any other agency wide training?                                                      Yes\n                    Yes or No.\n\n\n\n\nThe following supplemental information is provided in support of the FY 2006 Office of\nManagement and Budget (OMB) Federal Information Security Management Act (FISMA)\nReporting Template for Agency Inspectors General for the Nuclear Regulatory Commission\n(NRC). The independent evaluation of NRC\xe2\x80\x99s implementation of FISMA for FY 2006 was\nconducted by Richard S. Carson and Associates, Inc. (Carson Associates) on the behalf of the\nNRC Office of the Inspector General (OIG).\n\nQuestion 1a. NRC has a total of 3024 operational systems that fall under FISMA reporting\nrequirements. 25 Of the 30, 17 are general support systems, and 13 are major applications. As\nrequired by FISMA, the NRC OIG selected a subset of NRC systems for evaluation during the\nFY 2006 FISMA independent evaluation. However, during the course of fieldwork, the OIG\nlearned that the re-certification and re-accreditation of these systems, scheduled to be completed\nby August 2006, would not be completed during the FY 2006 FISMA reporting period.\nFurthermore, there were no other systems to evaluate because there were only two operational\nsystems with a current certification and accreditation at the time the OIG was selecting systems\nfor evaluation. One of these systems was evaluated by the OIG in FY 2006 and the other\nsystem\xe2\x80\x99s certification and accreditation expired during the FY 2006 FISMA reporting period.\nWithout enough systems with current certifications and accreditations, Carson Associates could\n\n24\n    The agency reports 31 operational systems. The OIG disagrees with the agency that an OIG system is a major\n   application. It has been categorized as a listed system since it began operations in 2004. This designation is\n   presently under a detailed review. Therefore, the metrics submitted by the OIG reflect a total of 30 operational\n   systems.\n25\n    NRC also has a number of major applications and general support systems currently in development. For FISMA\n   reporting purposes, only operational systems are considered.\n\n\n                                                                                     45\n\x0c                                          Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                 Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nnot perform an evaluation of a representative subset of agency systems for the FY 2006 FISMA\nindependent evaluation.\n\nQuestion 1.b. NRC has a total of 12 systems operated by a contractor or other organization on\nbehalf of the agency (8 major applications and 4 general support systems). Of the 12, 7 are\noperated by other Federal agencies, 2 are operated by federally funded research and development\ncenters, and 3 are operated by private contractors. Carson Associates selected 1 of the 12\nsystems operated by a contractor or other organization on behalf of the agency for evaluation\nduring the FY 2006 FISMA independent evaluation. However, that system did not have a\ncurrent certification and accreditation and there was not sufficient information available to\nperform an evaluation.\n\nQuestion 2. The metrics in Question 2 represent the status for all NRC systems, not just a subset\nof systems.\n\nQuestion 2.a. Only one agency system is certified and accredited, and only four systems\noperated by a contractor or other organization on behalf of the agency are certified and\naccredited. NRC is still developing procedures for maintaining documentation that demonstrates\nsystems provided by other Federal agencies meet FISMA requirements and that other contractor\nsystems are certified and accredited.\n\nIn accordance with OMB requirements, the fact that only 1 of the 30 operational NRC\ninformation systems has a current certification and accreditation, and that only 4 of the 12\nsystems used or operated by a contractor or other organization on behalf of the agency have a\ncurrent certification and accreditation, constitutes a significant deficiency.\n\nQuestion 2.b. NRC meets the FISMA requirement to test and evaluate the security controls of\nagency information system by performing annual self-assessments on the systems. In addition,\nNRC developed a self-assessment for common controls that are applicable to all NRC systems.\nNRC performed self-assessments on all agency operational systems with the exception of one\ngeneral support system. NRC also performed self-assessments on the four NRC regions and the\nNRC Technical Training Center.\n\nNRC performed self-assessments on 4 of the 12 systems operated by a contractor or other\norganization on behalf of the agency. The remaining 8 systems are operated by other Federal\nagencies. NRC is still developing procedures for maintaining documentation that demonstrates\nsystems provided by other Federal agencies meet FISMA requirements.\n\nQuestion 2.c. Only three agency systems had their contingency plans tested in the last year. The\nagency has reported that two additional major applications had their contingency plans tested in\nthe past year. However, the testing results for these systems are still under review by the agency.\nTherefore, those systems are not included in the metrics. The agency has also reported that one\ncontractor system had its contingency plan tested in the past year. NRC is still developing\nprocedures for maintaining documentation that demonstrates systems provided by other Federal\nagencies meet FISMA requirements.\n\n\n\n\n                                                 46\n\x0c                                                 Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                        Independent Evaluation of\n                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nIn accordance with OMB requirements, the fact that the agency has failed to conduct annual\ncontingency plan testing for the past two years constitutes a significant deficiency.\n\nQuestion 3.a. NRC presumes that the Federal agencies that operate 8 of the 12 contractor\nsystems are also following FISMA and guidelines from the National Institute of Standards and\nTechnology (NIST). However, the agency is still implementing recommendations from the FY\n2005 FISMA independent evaluation to (1) maintain copies of all certification and accreditation\ndocumentation for these systems, (2) verify that the security controls have been tested and\nevaluated for these systems on an annual basis, and (3) verify that the contingency plans have\nbeen tested and evaluated for these systems on an annual basis. The agency has been working\nwith the offices to assist in acquiring the required documentation for the contractor systems\nprovided by other Federal agencies. However, according to the agency, some of the other\nFederal agencies have been unwilling to provide documentation that demonstrates they meet\nFISMA requirements. The other Federal agencies have also been unwilling to share copies of\ntheir annual self-assessments or results from their annual contingency plan testing. In a follow-\nup memorandum to the agency regarding the status of these recommendations, the OIG\nsuggested a possible solution to the problem. The OIG stated that a memorandum from the\nFederal agencies stating that annual self-assessments and annual contingency plan testing have\nbeen completed will be sufficient to meet the intent of the recommendations. The agency is\ncurrently working towards obtaining such memoranda.\n\nThe agency is also still developing procedures for performing sufficient oversight and evaluation\nfor contractor systems provided by private contractors to ensure the information systems meet\nrequirements of FISMA, OMB policy, NIST guidelines, and agency policy.\n\nQuestion 3.b.1. While FISMA requires agencies to maintain an inventory of only major\ninformation systems (major applications and general support systems), NRC also tracks two\nother system types in its inventories \xe2\x80\x93 Listed26 and Other.27 The FY 2005 FISMA independent\nevaluation found that the agency\xe2\x80\x99s inventory was only 51-70 percent completed because (1)\ninformation in the agency\xe2\x80\x99s two inventory systems was inaccurate and inconsistent and (2) only\none of the two inventory systems contained information on system interfaces. In FY 2006,\nCarson Associates did not evaluate whether the agency inventory included information on\nsystem interfaces as the agency has not completed the recommendations resulting from the FY\n2005 FISMA independent evaluation regarding problems with the inventory.\n\nQuestion 3.b.2. The agency\xe2\x80\x99s Network Continuity of Operations system is currently categorized\nas a listed system. In accordance with OMB guidance, the NRC Network Continuity of\nOperations system is a high-impact system, and therefore should be categorized as a general\nsupport system, and not a listed system.\n\n26\n    A Listed system is a computerized information system or application that (1) processes sensitive information\n   requiring additional security protections and (2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s operations, but\n   which is not a major application or general support system when viewed from an agency perspective. Sensitive\n   data may include individual Privacy Act information, law enforcement sensitive information, sensitive contractual\n   and financial information, safeguards, and classified information.\n27\n    An Other system is an NRC system that does not require additional security protections and is adequately\n   protected by the security provided by the NRC local area network/wide area network.\n\n\n                                                         47\n\x0c                                                  Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                         Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\nQuestion 3.c. Carson Associates generally agreed with the CIO on the number of agency owned\nmajor applications and general support systems. However, Carson Associates did not fully\nevaluate the completeness of the agency\xe2\x80\x99s inventory, as the agency has not completed the\nrecommendations resulting from the FY 2005 FISMA independent evaluation regarding\nproblems with the inventory.\n\nQuestion 3.e. Carson Associates did not fully evaluate whether the agency inventory is\nmaintained and updated at least annually, as the agency has not completed the recommendations\nresulting from the FY 2005 FISMA independent evaluation regarding problems with the\ninventory.\n\nQuestion 3.f. The FY 2005 FISMA independent evaluation found that e-authentication risk\nassessments had been completed for only 6 of the agency\xe2\x80\x99s 27 operational systems.28 In FY\n2005, Carson Associates reviewed the six completed e-authentication risk assessments and found\nthem to be incorrect and inconsistent with the systems\xe2\x80\x99 security categorizations. In FY 2005, the\nagency stated that e-authentication risk assessments would be \xe2\x80\x9csupported under the interim\nInformation Systems Security contract awarded August 11, 2005 and were expected to be\ncompleted by December 15, 2005.\xe2\x80\x9d However, as of September 1, 2006, the agency had only\nprovided e-authentication risk assessments for 10 of the agency\xe2\x80\x99s 30 operational systems, and 1\nof the agency\xe2\x80\x99s contractor systems.\n\nQuestion 4. While the agency\xe2\x80\x99s POA&M process is adequate, the agency has made minimal\nprogress in correcting weaknesses reported on it POA&Ms. The agency has corrected 15 percent\nof its program level weaknesses, and 22.7 percent of its system level weaknesses. The majority\nof delays have been caused by delays in completing certifications and accreditations.\n\nQuestion 5. To correct weaknesses identified by the FY 2005 FISMA independent evaluation by\nthe NRC OIG, and to address findings from the agency\xe2\x80\x99s own evaluation, the agency has\nrefocused its information system security program. Under the refocused program, the agency\nwill first perform certification and accreditation for those systems that are a high priority from a\nmission perspective, and those that potentially pose a higher security risk (e.g., agency systems\nthat communicate with systems outside the NRC network). The first phase of the refocused\nprogram included the development of a comprehensive certification and accreditation process,\nwhich is not yet finalized. The agency developed templates for all certification and accreditation\ndocuments and instructions for completing the templates. The updated certification and\naccreditation process was also integrated into the agency\xe2\x80\x99s new project management\nmethodology. One of the agency\xe2\x80\x99s operational major applications was chosen to \xe2\x80\x9cpilot\xe2\x80\x9d the new\nprocess and documentation standards, in part, to ensure the new process is repeatable.\n\nThe refocused program has not resulted in the completion of a single certification and\naccreditation despite the (1) emphasis on the certification and accreditation of high priority\nsystems and systems with a higher security risk and (2) application of at least $500,000 in\nfunding to this initiative since December 2005. In the meantime, the certifications and\n\n28\n     In FY 2005, the agency had 27 operational systems. The agency now has 30 operational systems.\n\n\n                                                         48\n\x0c                                          Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                                                                 Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\naccreditations for all but one of the agency\xe2\x80\x99s operational systems have expired. The certification\nand accreditation for the one agency system that was current during the evaluation expires in\nOctober 2006.\n\nAs stated previously, the fact that only 1 of the 30 operational NRC information systems has a\ncurrent certification and accreditation, and that only 4 of the 12 systems used or operated by a\ncontractor or other organization on behalf of the agency have a current certification and\naccreditation, constitutes a significant deficiency.\n\nQuestion 8. NRC ensures all employees and contractors receive security awareness and training.\nHowever, the FY 2005 FISMA independent evaluation found that the agency had difficulty in\ngathering the information needed to report on (1) the total number of employees with significant\nIT security responsibilities, (2) the number of those employees who have received specialized\ntraining, and (3) the total costs for providing IT training. The agency is still developing\nprocedures for ensuring employees with significant information technology security\nresponsibilities receive security training.\n\n\n\n\n                                                 49\n\x0c        Appendix C \xe2\x80\x93 FY 2006 OMB FISMA Reporting Template for Agency IGs\n                                               Independent Evaluation of\n                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n               50\n\x0c                                Appendix D \xe2\x80\x93 Formal Agency Comments\n                                             Independent Evaluation of\n                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\nFORMAL AGENCY COMMENTS\n\n\n\n\n                         51\n\x0c       Appendix D \xe2\x80\x93 Formal Agency Comments\n                    Independent Evaluation of\n     NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n52\n\x0c       Appendix D \xe2\x80\x93 Formal Agency Comments\n                    Independent Evaluation of\n     NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n53\n\x0c       Appendix D \xe2\x80\x93 Formal Agency Comments\n                    Independent Evaluation of\n     NRC\xe2\x80\x99s Implementation of FISMA for FY 2006\n\n\n\n\n54\n\x0c"